Authorities say the operation supported large-scale credential theft and business email compromise activity.
Nigerian law enforcement announced the arrest of three individuals in connection with phishing attacks targeting Microsoft 365 users worldwide, including the suspected developer of the RaccoonO365 phishing-as-a-service platform. According to reporting by The Hacker News, the Nigeria Police Force National Cybercrime Centre identified Okitipi Samuel, also known as Moses Felix, as the primary developer behind the phishing infrastructure, following a joint investigation with Microsoft and the FBI. Authorities said the platform was used to sell phishing links through Telegram and to host fake Microsoft login pages designed to capture credentials.
RaccoonO365 is a phishing toolkit that enables attackers to deploy credential harvesting pages that closely mimic Microsoft 365 authentication flows. Microsoft tracks the activity under the name Storm 2246. Investigators said the platform was linked to unauthorized access incidents across corporate, financial, and educational institutions between January and September 2025. Earlier this year, Microsoft and Cloudflare coordinated to take down hundreds of domains associated with the service, which security teams estimate contributed to the theft of thousands of credentials across dozens of countries. Devices and digital assets connected to the Nigerian operation were seized during raids in Lagos and Edo states, while police said the two additional suspects were not involved in developing the phishing service itself.
The Nigeria Police Force said the suspect operated infrastructure that enabled phishing at scale and accepted cryptocurrency payments in exchange for access to malicious links. Microsoft confirmed that it continues to work with international partners to disrupt phishing operations that abuse its brand and cloud services. In a separate civil action filed earlier this year, Microsoft and Health ISAC alleged that operators associated with RaccoonO365 distributed the toolkit to other criminals, allowing them to conduct targeted phishing and steal sensitive data that was later used for financial fraud and further intrusions.
Independent forensic analysis shows how services like RaccoonO365 enable phishing at a global scale by design. Researchers found that the toolkit “can be purchased and used by anyone,” allowing campaigns to reach “at least 94 different countries” and resulting in “over 5,000 Microsoft credentials” being stolen in a short period. The service was repeatedly tied to seasonal lures, with attackers using “tax-themed emails” to exploit predictable user behavior and affect “over 2,300 organizations” during peak filing periods.
Healthcare and other sensitive sectors have also been pulled into these campaigns. Microsoft has reported that “at least 20 healthcare organizations have been targeted using RaccoonO365,” with phishing emails serving as delivery mechanisms for “malware such as infostealers or ransomware.” Analysts warn that these attacks do more than expose credentials, noting that ransomware activity can “disrupt care and lead to delays in treatment,” while stolen data may be resold or reused, leaving organizations vulnerable to ongoing fraud and follow-on intrusions.
RaccoonO365 is a phishing toolkit that allows attackers to deploy fake Microsoft 365 login pages to collect usernames, passwords, and authentication tokens.
Microsoft 365 is widely used by businesses and institutions, making compromised accounts valuable for email access, internal fraud, and lateral movement.
Developers create and maintain phishing infrastructure, then sell access to other criminals who use it to launch campaigns without building tools themselves.
Attackers often access email accounts, reset passwords, intercept communications, and conduct business email compromise or financial fraud.
They can enforce strong authentication, restrict legacy login methods, monitor for suspicious sign-in activity, and train users to verify login pages before entering credentials.