Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

Nigeria Arrests RaccoonO365 Phishing Developer

Nigerian police arrested three individuals, including the principal developer of the RaccoonO365 phishing-as-a-service (PhaaS) scheme, following a joint investigation with Microsoft and the FBI. The scheme operated via a Telegram channel selling phishing links, resulting in the compromise of Microsoft 365 credentials.

Why This Matters

Ideal security models assume user vigilance, but phishing exploits inherent human trust and technical vulnerabilities. The RaccoonO365 infrastructure led to the theft of at least 5,000 Microsoft credentials from 94 countries, demonstrating the scale of potential damage and financial loss from even a single PhaaS toolkit. Mitigating these attacks requires a multi-layered approach including robust authentication, employee training, and proactive threat intelligence.

Key Insights

• RaccoonO365 domains seized, September 2025: Microsoft, with Cloudflare, seized 338 domains used by the RaccoonO365 phishing infrastructure.
• PhaaS lowers barrier to entry: Phishing-as-a-Service allows less technically skilled actors to launch sophisticated attacks, increasing the volume and frequency of credential harvesting.
• Storm-2246: Microsoft tracks the RaccoonO365 threat actor under the moniker Storm-2246, facilitating threat intelligence sharing.

Practical Applications

• Use Case: Microsoft utilizes takedown requests and legal action (lawsuit against Ogundipe) to disrupt PhaaS operations and protect customers.
• Pitfall: Reliance solely on user awareness training is insufficient; multi-factor authentication (MFA) is crucial to prevent account compromise even with stolen credentials.

References:

• https://thehackernews.com/2025/12/nigeria-arrests-raccoono365-phishing.html