Microsoft announced Wednesday that it worked with international law enforcement to seize infrastructure used to run cybercrime subscription service RedVDS and organized civil actions in the United States and United Kingdom to disrupt its further use. 

RedVDS has enabled at least $40 million in fraud losses in the U.S. since March 2025, according to Microsoft. Victims that are joining Microsoft as co-plaintiffs in the civil action include Alabama-based H2 Pharma, a pharmaceutical company that lost more than $7.3 million, and Florida-based Gatehouse Dock Condominium Association, which was tricked out of nearly $500,000. 

“For as little as US $24 a month, RedVDS provides criminals with access to disposable virtual computers that make fraud cheap, scalable and difficult to trace,” Steven Masada, assistant general counsel at Microsoft Digital Crimes Unit, said in a blog post. “It provides access to cheap, effective, and disposable virtual computers running unlicensed software, including Windows, allowing criminals to operate quickly, anonymously and across borders.”

Microsoft said a joint operation with Europol and authorities in Germany allowed it to seize RedVDS’s infrastructure and take the marketplace offline. Cybercriminals used the site, which included a loyalty program and referral bonuses for customers, to send high-volume phishing attacks, host infrastructure for scams and facilitate fraud such as business email compromise.

Microsoft customers were among those impacted by RedVDS’s tools and services. 

“Since September 2025, RedVDS‑enabled attacks have led to the compromise or fraudulent access of more than 191,000 Microsoft email accounts across over 130,000 organizations worldwide,” Masada said in the blog post. “These figures represent only a subset of the impacted accounts across all technology providers, illustrating how quickly this infrastructure increases the scale of cyberattacks.”

Over the course of a month, more than 2,600 RedVDS virtual machines sent Microsoft customers an average of one million phishing messages per day, Masada added. 

RedVDS facilitated payment diversion fraud against organizations like H2 Pharma and the Gatehouse Dock Condominium Association through business email compromise. The marketplace was also used to compromise the accounts of realtors, escrow agents and title companies to divert payments, according to Microsoft.

More than 9,000 customers, many in Canada and Australia, were directly impacted by real estate-related fraud aided by RedVDS. Microsoft Threat Intelligence said other scams enabled by RedVDS hit organizations in construction, manufacturing, healthcare, logistics, education and legal services.

Researchers said the marketplace’s user interface was loaded with features that allowed eager cybercriminals to purchase unlicensed and inexpensive Windows-based remote desktop protocol servers with full administrator control. RedVDS reused a single, cloned Windows host image across the service, which allowed researchers to find unique technical fingerprints.

The group that develops and operates RedVDS is tracked by Microsoft as Storm-2470. At least five additional cybercrime groups and cybercriminals who used the Racoon0365 phishing service prior to its takedown in October were also using RedVDS infrastructure, according to Microsoft Threat Intelligence.

RedVDS’s site first launched in 2019 and has remained in operation since providing servers in the U.S., U.K., Canada, France, the Netherlands and Germany. The marketplace “has become a prolific tool for cybercriminals in the past year, facilitating thousands of attacks, including credential theft, account takeovers and mass phishing,” researchers said in a report.

RedVDS rented servers from third-party hosting providers, including at least five hosting companies in the U.S., Canada, U.K., France and the Netherlands. This allowed RedVDS to provision IP addresses in geolocations close to targets, allowing cybercriminals to evade location-based security filters and blend in with normal data center traffic, researchers added. 

“Cybercrime today is powered by shared infrastructure, which means disrupting individual attackers is not enough,” Masada said. “Through this coordinated action, Microsoft has disrupted RedVDS’s operations, including seizing two domains that host the RedVDS marketplace and customer portal, while also laying the groundwork to identify the individuals behind them.”

The post Microsoft seizes RedVDS infrastructure, disrupts fast-growing cybercrime marketplace appeared first on CyberScoop.

Authorities arrested 34 alleged cybercriminals in Spain, including some leaders of Black Axe, a transnational criminal organization responsible for adversary-in-the-middle scams such as business email compromise, money laundering and vehicle trafficking, the Spanish National Police said Friday.

A coordinated law enforcement operation that fanned out to Seville, Madrid, Malaga and Barcelona significantly disrupted the group’s activities, according to Europol, which supported the takedown alongside officers from Germany.

Officials targeted the organized crime network’s leadership and froze $139,000 in bank accounts. Police also seized $77,000 in cash, five vehicles and devices allegedly used for criminal activity.

Europol described Black Axe as a highly structured, hierarchical group that generates billions of dollars in criminal proceeds annually from many small-scale operations spanning dozens of countries. The group’s leaders, including 10 people arrested last week, are Nigerian nationals, authorities said. 

The Spanish National Police began investigating the group, which specializes in corporate fraud through business email compromise, in September 2023. Black Axe used an extensive network to conceal their money and recruited money mules throughout Europe to receive, transfer and withdraw funds from the scams, officials said. 

The group also allegedly established shell companies to acquire vehicles and then deliberately defaulted on payments before renting or selling the vehicles. Europol investigators estimate Black Axe is responsible for more than $6.9 million in fraud. 

Black Axe was involved in other criminal activities, including drug trafficking, human trafficking and prostitution, kidnapping and armed robbery, officials said. 

The Spanish National Police said four of Black Axe’s main leaders remain in custody and face charges for aggravated fraud, membership in a criminal organization, money laundering, document forgery and obstruction of justice.

The post Spanish police disrupt Black Axe, arrest alleged leaders in action spanning four cities appeared first on CyberScoop.

Patterson Cake // In PART 1 of “Wrangling the M365 UAL,” we talked about the value of the Unified Audit Log (UAL), some of the challenges associated with acquisition, parsing, […]

The post Wrangling the M365 UAL with SOF-ELK on EC2 (Part 2 of 3) appeared first on Black Hills Information Security, Inc..

Patterson Cake // When it comes to M365 audit and investigation, the “Unified Audit Log” (UAL) is your friend. It can be surly, obstinate, and wholly inadequate, but your friend […]

The post Wrangling the M365 UAL with PowerShell and SOF-ELK (Part 1 of 3) appeared first on Black Hills Information Security, Inc..