bleepingcomputer.com
By Bill Toulas
December 19, 2025

The Nigerian police have arrested three individuals linked to targeted Microsoft 365 cyberattacks via Raccoon0365 phishing-as-a-service.

The attacks led to business email compromise, data breaches, and financial losses affecting organizations worldwide.

The law enforcement operation was possible thanks to intelligence from Microsoft, shared with the Nigeria Police Force National Cybercrime Centre (NPF–NCCC) via the FBI.

The authorities identified individuals who administered the phishing toolkit ‘Raccoon0365,’ which automated the creation of fake Microsoft login pages for credential theft.

The service, which was responsible for at least 5,000 Microsoft 365 account compromises across 94 countries, was disrupted by Microsoft and Cloudflare last September.

It is unclear if the disruption operation helped identify those behind Raccoon0365 in Nigeria.

BleepingComputer contacted Microsoft for clarifications but a comment wasn't immediately available.

“Acting on precise and actionable intelligence, NPF–NCCC operatives were deployed to Lagos and Edo States, leading to the arrest of three suspects,” reads the police’s announcement.

“Search operations conducted at their residences resulted in the recovery of laptops, mobile devices, and other digital equipment, which have been linked to the fraudulent scheme after forensic analysis.”

One of the arrested suspects is an individual named Okitipi Samuel, also known online as “RaccoonO365” and “Moses Felix,” whom the police believe is the developer of the phishing platform.

Samuel operated a Telegram channel where he sold phishing kits to other cybercriminals in exchange for cryptocurrency, while he also hosted the phishing pages on Cloudflare using accounts registered with compromised credentials.

The Telegram channel counted over 800 members around the time of the disruption, and the reported access fees ranged from $355/month to $999/3 months.

Cloudflare estimates that the service is used primarily by Russia-based cybercriminals.

Regarding the other two arrested individuals, the police stated they have no evidence linking them to the Raccoon0365 operation or creation.

The person that Microsoft previously identified as the leader of the phishing service, Joshua Ogundipe, is not mentioned in the police’s announcement.

bleepingcomputer.com
Microsoft and Cloudflare have disrupted a massive Phishing-as-a-Service (PhaaS) operation, known as RaccoonO365, that helped cybercriminals steal thousands of Microsoft 365 credentials.

In early September 2025, in coordination with Cloudflare's Cloudforce One and Trust and Safety teams, Microsoft's Digital Crimes Unit (DCU) disrupted the cybercrime operation by seizing 338 websites and Worker accounts linked to RaccoonO365.

The cybercrime group behind this service (also tracked by Microsoft as Storm-2246) has stolen at least 5,000 Microsoft credentials from 94 countries since at least July 2024, using RaccoonO365 phishing kits that bundled CAPTCHA pages and anti-bot techniques to appear legitimate and evade analysis.

For instance, a large-scale RaccoonO365 tax-themed phishing campaign targeted over 2,300 organizations in the United States in April 2025, but these phishing kits have also been deployed in attacks against more than 20 U.S. healthcare organizations.

The credentials, cookies, and other data stolen from victims' OneDrive, SharePoint, and email accounts were later employed in financial fraud attempts, extortion attacks, or as initial access to other victims' systems.

"This puts public safety at risk, as RaccoonO365 phishing emails are often a precursor to malware and ransomware, which have severe consequences for hospitals," said Steven Masada, Assistant General Counsel for Microsoft's Digital Crimes Unit.

"In these attacks, patient services are delayed, critical care is postponed or canceled, lab results are compromised, and sensitive data is breached, causing major financial losses and directly impacting patients."

RaccoonO365 has been renting subscription-based phishing kits through a private Telegram channel, which had over 840 members as of August 25, 2025. The prices ranged from $355 for a 30-day plan to $999 for a 90-day subscription, all paid in USDT (TRC20, BEP20, Polygon) or Bitcoin (BTC) cryptocurrency.
​Microsoft estimated that the group has received at least $100,000 in cryptocurrency payments so far, suggesting there are approximately 100 to 200 subscriptions; however, the actual number of subscriptions sold is likely much higher.

During its investigation, the Microsoft DCU also found that the leader of RaccoonO365 is Joshua Ogundipe, who lives in Nigeria.

Cloudflare also believes that RaccoonO365 also collaborates with Russian-speaking cybercriminals, given the use of Russian in its Telegram bot's name.

"Based on Microsoft's analysis, Ogundipe has a background in computer programming and is believed to have authored the majority of the code," Masada added.

"An operational security lapse by the threat actors in which they inadvertently revealed a secret cryptocurrency wallet helped the DCU's attribution and understanding of their operations. A criminal referral for Ogundipe has been sent to international law enforcement."

In May, Microsoft also seized 2,300 domains in a coordinated disruption action targeting the Lumma malware-as-a-service (MaaS) information stealer.

An ongoing phishing campaign abuses a little‑known feature in Microsoft 365 called "Direct Send" to evade detection by email security and steal credentials.

Direct Send is a Microsoft 365 feature that allows on‑premises devices, applications, or cloud services to send emails through a tenant's smart host as if they originated from the organization's domain. It’s designed for use by printers, scanners, and other devices that need to send messages on behalf of the company.

However, the feature is a known security risk, as it doesn't require any authentication, allowing remote users to send internal‑looking emails from the company's domain.

Microsoft recommends that only advanced customers utilize the feature, as its safety depends on whether Microsoft 365 is configured correctly and the smart host is properly locked down..

"We recommend Direct Send only for advanced customers willing to take on the responsibilities of email server admins," explains Microsoft.

"You need to be familiar with setting up and following best practices for sending email over the internet. When correctly configured and managed, Direct Send is a secure and viable option. But customers run the risk of misconfiguration that disrupts mail flow or threatens the security of their communication."

The company has shared ways to disable the feature, which are explained later in the article, and says they are working on a way to deprecate the feature.

The Microsoft 365 Admin Portal is being abused to send sextortion emails, making the emails appear trustworthy and bypassing email security platforms.

Over the past few days, we have seen phishing attacks that use a combination of compromised Microsoft 365 accounts and .rpmsg encrypted emails to deliver the phishing message.