Nigerian Suspect Arrested, a Global Phishing Service, and the Microsoft 365 Cyberattack Crackdown
What happened in the Microsoft 365 cyberattack case?
Nigeria’s National Cybercrime Centre arrested a suspected high‑profile fraud operator after a wave of attacks on Microsoft 365 accounts across multiple countries. Police say the operation relied on a phishing toolkit called RaccoonO365 that generated fake Microsoft login pages to steal user credentials from corporate, financial, and educational institutions.
The investigation shows that between January and September 2025, multiple intrusions into Microsoft 365 accounts were traced to emails that closely copied Microsoft authentication prompts, leading to business email compromise, data breaches, and financial losses in several jurisdictions. Investigators link these intrusions to a phishing‑as‑a‑service model in which links and templates were sold to other criminals rather than used only by the alleged developer. (Peoples Gazette)
Who is the suspect and what is RaccoonO365?
Police identify the principal suspect as Okitipi Samuel, known online as “RaccoonO365” and “Moses Felix,” alleged to be the developer and operator of the phishing infrastructure. According to cybercrime investigators, he is accused of running a Telegram channel where phishing links were sold for cryptocurrency, while fake Microsoft 365 login portals were hosted on Cloudflare using stolen or fraudulently obtained email credentials.
Authorities add that searches at locations in Lagos and Edo States led to the seizure of laptops, phones, and other digital devices that forensic analysts link to the scheme. Two other individuals were initially detained during these operations, but investigators later reported no evidence tying them to development or control of the toolkit itself. (CKN Nigeria)
How did the phishing‑as‑a‑service scheme work?
RaccoonO365 functioned as a subscription‑style service: cybercriminals could pay in cryptocurrency to generate phishing pages and links that looked like standard Microsoft 365 sign‑in screens. Once a victim entered their username and password, those details were captured and sent to the operators, who could then log in to the real Microsoft 365 accounts to access email, cloud storage, and internal systems.
Security researchers report that since at least July 2024, the service helped steal more than 5,000 Microsoft 365 credentials across 94 countries, giving attackers entry points into OneDrive, SharePoint, Outlook, and other cloud resources. One analysis notes that senders could reach up to 9,000 targets per day, while Telegram channels connected to the service counted more than 850 members and at least 100,000 US dollars in recorded cryptocurrency payments. (Malwarebytes Labs)
How did Microsoft, law enforcement, and partners respond?
The case grew out of intelligence shared by Microsoft with the FBI, which then passed information to Nigeria’s National Cybercrime Centre, including technical indicators and details of the phishing toolkit. Nigeria’s police say they mounted an “intelligence‑driven operation” with Microsoft, the FBI, the U.S. Secret Service, and other partners, combining digital forensics, IP tracking, domain analysis, and cryptocurrency tracing to follow the money and infrastructure.
In parallel, Microsoft and Cloudflare took civil and technical action against RaccoonO365’s infrastructure, seizing or disabling hundreds of domains used for fake login pages and cutting off hosting for phishing content. A Microsoft security blog cited by industry outlets states that the group running the service, also tracked as “Storm‑2246,” had turned low‑skill credential theft into what one report calls a “massive phishing empire” before the takedown. (CSO Online)
What do officials and experts say about the risks?
Nigeria Police spokesman Benjamin Hundeyin warns that phishing campaigns like this “resulted in business email compromise, data breaches, and financial losses across multiple jurisdictions,” stressing that organizations must scrutinize unexpected login prompts and messages requesting credential verification. The head of the National Cybercrime Centre, Commissioner of Police Ifeanyi Uche, urges users not to click links from unknown or untrusted sources and to rely on official channels when in doubt about account security notices.
Security analysts examining RaccoonO365 highlight that once attackers obtain Microsoft 365 credentials, they can silently monitor email, move laterally across a company’s cloud environment, and even use a compromised account as a launchpad for internal phishing and eventual ransomware deployment. As one industry write‑up on the operation puts it, the service “specialized in stealing Microsoft 365 credentials” and then turning those logins into “data theft, financial fraud, or even deep organizational compromise.” (NewsGhana)
What practical lessons should Microsoft 365 users take from this case?
This case underlines how convincing fake login pages can bypass human skepticism, especially when sent from addresses that appear to belong to trusted partners or co‑workers. Investigators and Microsoft’s security teams repeatedly stress the importance of multi‑factor authentication, careful checking of URLs before entering passwords, and rapid reporting of suspicious emails to internal IT teams or security officers.
Law enforcement agencies also point to the value of cross‑border cooperation, arguing that a phishing‑as‑a‑service operation that sells to clients around the world cannot be tackled by one country alone. As the National Cybercrime Centre states in its public messaging, sustained collaboration with global partners and active public awareness are now central pillars of Nigeria’s strategy against large‑scale cybercrime syndicates. (NPF–NCCC)
