Inside the Takedown: Nigerian Police Nab Mastermind Behind Global Microsoft 365 Phishing Ring

It began like so many other mornings for corporate security teams worldwide: a suspicious login alert, a spoofed Microsoft 365 page, and another set of stolen credentials. But this time, the story ends with a rare victory for law enforcement. In a coordinated strike, Nigerian authorities have arrested the alleged developer behind RaccoonO365, a notorious phishing-as-a-service (PhaaS) toolkit that has powered a wave of cyberattacks against businesses and institutions in nearly 100 countries.

The investigation, spearheaded by Nigeria's National Cybercrime Centre (NPF–NCCC), marks a significant blow against the PhaaS underworld. Working alongside Microsoft and the FBI, investigators traced the digital fingerprints of RaccoonO365 to Okitipi Samuel, who allegedly operated under the alias Moses Felix. According to police statements, Samuel not only developed the sophisticated phishing infrastructure but also managed a Telegram channel where he sold phishing links for cryptocurrency and distributed access to fraudulent login portals hosted on Cloudflare.

The RaccoonO365 toolkit, tracked by Microsoft as Storm-2246, allowed even low-skilled criminals to launch convincing credential harvesting campaigns. By cloning Microsoft 365 authentication pages, attackers tricked victims into handing over login details, which were then used to infiltrate email systems of corporations, financial institutions, and universities. These breaches often escalated into business email compromise (BEC), enabling criminals to divert funds, steal sensitive data, and even launch ransomware attacks.

In September 2025, Microsoft and Cloudflare seized 338 domains linked to RaccoonO365, but the damage had already been done. Investigators estimate that since July 2024, the group’s infrastructure enabled the theft of at least 5,000 sets of credentials from users in 94 countries. The investigation also revealed the use of these credentials to further cybercrime, from financial fraud to intellectual property theft.

The crackdown comes amid a broader offensive against PhaaS operators. Microsoft and Health-ISAC have filed civil suits against other alleged kit vendors, while Google has targeted rival PhaaS groups like Darcula and Lighthouse, whose smishing and phishing campaigns have impacted millions. The collective actions signal a new willingness among tech giants and law enforcement to cripple the infrastructure enabling cybercrime at scale.

As digital threats grow more sophisticated, the RaccoonO365 takedown stands as both a warning and a rare win. While one phishing kingpin sits behind bars, the global cat-and-mouse game between cybercriminals and defenders is far from over. For now, corporate defenders can breathe a little easier - but only for a moment.

WIKICROOK

• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• Credential Harvesting: Credential harvesting is the theft of login details, such as usernames and passwords, often through fake websites or deceptive emails.
• Business Email Compromise (BEC): Business Email Compromise (BEC) is a scam where criminals hack or impersonate business emails to trick companies into sending money to fraudulent accounts.
• Smishing: Lo smishing è una truffa digitale che sfrutta SMS ingannevoli per rubare dati personali o soldi alle vittime, spesso fingendosi enti affidabili.
• Cloudflare: Cloudflare is a service that protects and speeds up websites by hiding their real location and blocking attacks, but can also mask harmful sites.