Nigeria arrests RaccoonO365 phishing developer tied to Microsoft attacks

Authorities say the operation supported large-scale credential theft and business email compromise activity.

What happened

Nigerian law enforcement announced the arrest of three individuals in connection with phishing attacks targeting Microsoft 365 users worldwide, including the suspected developer of the RaccoonO365 phishing-as-a-service platform. According to reporting by The Hacker News, the Nigeria Police Force National Cybercrime Centre identified Okitipi Samuel, also known as Moses Felix, as the primary developer behind the phishing infrastructure, following a joint investigation with Microsoft and the FBI. Authorities said the platform was used to sell phishing links through Telegram and to host fake Microsoft login pages designed to capture credentials.

Going deeper

RaccoonO365 is a phishing toolkit that enables attackers to deploy credential harvesting pages that closely mimic Microsoft 365 authentication flows. Microsoft tracks the activity under the name Storm 2246. Investigators said the platform was linked to unauthorized access incidents across corporate, financial, and educational institutions between January and September 2025. Earlier this year, Microsoft and Cloudflare coordinated to take down hundreds of domains associated with the service, which security teams estimate contributed to the theft of thousands of credentials across dozens of countries. Devices and digital assets connected to the Nigerian operation were seized during raids in Lagos and Edo states, while police said the two additional suspects were not involved in developing the phishing service itself.

What was said

The Nigeria Police Force said the suspect operated infrastructure that enabled phishing at scale and accepted cryptocurrency payments in exchange for access to malicious links. Microsoft confirmed that it continues to work with international partners to disrupt phishing operations that abuse its brand and cloud services. In a separate civil action filed earlier this year, Microsoft and Health ISAC alleged that operators associated with RaccoonO365 distributed the toolkit to other criminals, allowing them to conduct targeted phishing and steal sensitive data that was later used for financial fraud and further intrusions.

The big picture

Independent forensic analysis shows how services like RaccoonO365 enable phishing at a global scale by design. Researchers found that the toolkit “can be purchased and used by anyone,” allowing campaigns to reach “at least 94 different countries” and resulting in “over 5,000 Microsoft credentials” being stolen in a short period. The service was repeatedly tied to seasonal lures, with attackers using “tax-themed emails” to exploit predictable user behavior and affect “over 2,300 organizations” during peak filing periods.

Healthcare and other sensitive sectors have also been pulled into these campaigns. Microsoft has reported that “at least 20 healthcare organizations have been targeted using RaccoonO365,” with phishing emails serving as delivery mechanisms for “malware such as infostealers or ransomware.” Analysts warn that these attacks do more than expose credentials, noting that ransomware activity can “disrupt care and lead to delays in treatment,” while stolen data may be resold or reused, leaving organizations vulnerable to ongoing fraud and follow-on intrusions.

FAQs

What is RaccoonO365?

RaccoonO365 is a phishing toolkit that allows attackers to deploy fake Microsoft 365 login pages to collect usernames, passwords, and authentication tokens.

Why are Microsoft 365 users frequently targeted?

Microsoft 365 is widely used by businesses and institutions, making compromised accounts valuable for email access, internal fraud, and lateral movement.

How do phishing-as-a-service platforms work?

Developers create and maintain phishing infrastructure, then sell access to other criminals who use it to launch campaigns without building tools themselves.

What happens after credentials are stolen?

Attackers often access email accounts, reset passwords, intercept communications, and conduct business email compromise or financial fraud.

How can organizations reduce exposure to these attacks?

They can enforce strong authentication, restrict legacy login methods, monitor for suspicious sign-in activity, and train users to verify login pages before entering credentials.