Full Report
Authorities in Nigeria have announced the arrest of three "high-profile internet fraud suspects" who are alleged to have been involved in phishing attacks targeting major corporations, including the main developer behind the RaccoonO365 phishing-as-a-service (PhaaS) scheme. The Nigeria Police Force National Cybercrime Centre (NPF–NCCC) said investigations conducted in collaboration with
Analysis Summary
# Threat Actor: RaccoonO365 (Attributed Group)
## Attribution & Identity
**Principal Suspect Arrested:** Okitipi Samuel, also known as Moses Felix.
**Associated Group Name:** RaccoonO365 (a financially motivated Threat Actor/PhaaS operator).
**Law Enforcement Tracking Alias:** Microsoft tracks the actor under the moniker **Storm-2246**.
**Law Enforcement Action:** Arrested by the Nigeria Police Force National Cybercrime Centre (NPF–NCCC) in collaboration with Microsoft and the FBI.
## Activity Summary
The group operated a Phishing-as-a-Service (PhaaS) scheme centered around a toolkit designed to mimic Microsoft 365 login pages for credential harvesting.
**Recent Activity:** Investigations uncovered incidents of unauthorized Microsoft 365 account access between January and September 2025, following phishing campaigns.
**Historical Scope (since July 2024):** The infrastructure is estimated to have led to the theft of at least 5,000 Microsoft credentials across 94 countries.
**Previous Action:** In September 2025, Microsoft and Cloudflare seized 338 domains associated with RaccoonO365's infrastructure.
**Other Associated Legal Action:** A civil lawsuit was filed in September 2025 by Microsoft and Health-ISAC against Joshua Ogundipe and others for selling, distributing, and implementing the phishing kit.
## Tactics, Techniques & Procedures
- **Credential Phishing:** Serving phishing pages specifically designed to mimic legitimate Microsoft 365 authentication pages.
- **Phishing-as-a-Service (PhaaS):** Selling access to the phishing toolkit via a dedicated Telegram channel, accepting cryptocurrency for transactions.
- **Infrastructure Hosting:** Utilizing Cloudflare to host fraudulent login portals.
- **Credential Harvesting:** Stealing user credentials to gain unauthorized access to M365 accounts.
- **Malicious Outcome:** Using stolen credentials to facilitate Business Email Compromise (BEC), data breaches, and financial losses.
## Targeting
- **Sectors:** Corporate institutions, financial institutions, and educational institutions.
- **Geography:** Targeted victims across 94 countries.
- **Victims:** Major corporations using Microsoft 365 services.
## Tools & Infrastructure
- **Malware Families Used:** RaccoonO365 Phishing Toolkit/PhaaS.
- **Infrastructure:** Operated a Telegram channel for sales; used Cloudflare for hosting fraudulent login portals.
- **Payment Mechanism:** Accepted cryptocurrency for sales of the phishing links/service access.
## Implications
This actor was a significant distributor of M365 credential harvesting capabilities via a PhaaS model, directly enabling subsequent Business Email Compromise, data theft, and potentially ransomware attacks across numerous organizations globally. The arrest of the primary developer marks a significant blow to this specific distribution network.
## Mitigations
- Enforce Multi-Factor Authentication (MFA) on all Microsoft 365 accounts, especially for high-privilege users, to render harvested credentials less useful.
- Conduct continuous user training focused on recognizing highly sophisticated, brand-spoofing Microsoft 365 phishing pages.
- Monitor for domain squatting or newly registered domains attempting to mimic official M365 URLs.
- Enhance monitoring for unauthorized logins or access attempts originating from geographically diverse or unusual locations, consistent with credential reuse.