Nigerian law enforcement has announced the arrest of three individuals allegedly linked to the Raccoon0365 phishing-as-a-service (PhaaS) platform, a commercial operation used to conduct large‑scale phishing campaigns against Microsoft 365 corporate accounts. The operation was enabled by technical evidence supplied by Microsoft, shared with the FBI, and subsequently passed to the Nigeria Police Force National Cybercrime Center (NPF‑NCCC).
Nigerian Police Arrest Suspected Raccoon0365 Operators
According to the NPF‑NCCC, coordinated raids were carried out in the states of Lagos and Edo. During these actions, investigators seized laptops, mobile phones, and other digital devices. Forensic analysis reportedly tied these assets directly to the Raccoon0365 infrastructure, with a detailed technical footprint allowing authorities to correlate specific devices with identified phishing activity.
Among those detained is Okitipi Samuel, known online under the aliases Raccoon0365 and Moses Felix. Investigators consider him a primary developer of the platform and administrator of a private Telegram channel used to distribute phishing kits. At the time the service was shut down, this channel had more than 800 participants, indicating a sizable customer base for the illicit offering.
The roles of the two other arrested individuals are still being clarified, and they have not yet been formally accused of direct involvement in building or operating the service. Notably, the Nigerian police statement does not mention Joshua Ogundipe, previously highlighted by Microsoft researchers as a suspected leader of the group behind Raccoon0365, underscoring that the investigation may still be ongoing and multi‑jurisdictional.
How the Raccoon0365 Phishing-as-a-Service Platform Worked
Raccoon0365 functioned as a commercial Phishing‑as‑a‑Service platform, lowering the barrier to entry for cybercriminals seeking to target Microsoft 365 users. Subscribers did not need deep technical skills: the service provided ready‑made infrastructure, phishing kits, and automation, while customers focused on selecting targets and monetizing stolen data.
Clients received tools to generate phishing emails and attachments containing links or QR codes, as well as cloned login pages closely imitating legitimate Microsoft 365 authentication screens. When victims followed the link and entered their credentials, the data was immediately exfiltrated to Raccoon0365 operators, often along with session cookies. These cookies can allow attackers to hijack active sessions and bypass basic forms of multi‑factor authentication (MFA).
The stolen access was used not only to compromise usernames and passwords but also to pivot deeper into Microsoft 365 ecosystems, including OneDrive, SharePoint, and corporate mailboxes. This enabled:
Business Email Compromise (BEC) and financial fraud. Attackers could manipulate ongoing email threads, alter payment details on invoices, and redirect funds to accounts they controlled. BEC remains one of the most costly attack types globally.
Extortion and data theft. Access to confidential documents, contracts, and internal discussions created leverage for blackmail, threats of data leaks, or disruption of business operations.
Further intrusion into corporate networks. Compromised accounts often served as initial footholds for deploying additional malware and conducting lateral movement inside the victim organization.
Raccoon0365’s phishing kits were sold by subscription via a private Telegram channel with over 840 members (as of 25 August 2025). Pricing reportedly ranged from USD 355 per month to USD 999 for three months, payable in cryptocurrencies such as USDT and BTC. Microsoft estimates that the group earned at least USD 100,000 in cryptocurrency, implying a minimum of 100–200 subscriptions, although the real revenue may be higher.
Microsoft and Cloudflare Help Take Down Raccoon0365 Infrastructure
In early September 2025, Microsoft’s Digital Crimes Unit (DCU), working with Cloudflare Cloudforce One and the company’s Trust and Safety teams, executed an operation to dismantle infrastructure linked to Raccoon0365. In total, 338 websites and Cloudflare Workers accounts used to host phishing pages and evade detection were taken offline.
Cloudflare’s services had been abused by the actors to enhance anti‑analysis capabilities and detection evasion. Traffic proxying, protection against automated scanning, and rapid deployment of new domains made it more difficult for defenders to block malicious resources quickly.
A critical factor in unmasking the operators was an operational security (OPSEC) mistake. According to Microsoft, the group inadvertently exposed a previously secret cryptocurrency wallet. By correlating blockchain transactions with related accounts and hosting infrastructure, DCU analysts were able to identify key participants and pass their findings to international law‑enforcement partners.
Security Lessons for Organizations Using Microsoft 365
The Raccoon0365 case illustrates how PhaaS platforms industrialize phishing, turning it into a scalable service. Dozens or hundreds of customers worldwide can purchase turnkey phishing campaigns, complete with email templates, hosting, dashboards, and built‑in evasion of common defenses. Industry reports such as Verizon’s Data Breach Investigations Report consistently show that the human element and phishing remain dominant initial access vectors in breaches.
Strengthen authentication and access control
Organizations should enforce robust MFA, prioritize phishing‑resistant methods such as FIDO2 security keys, and limit reliance on one‑time codes delivered via SMS or email. Conditional access policies, device compliance checks, and strict session lifetime settings reduce the value of stolen passwords and cookies.
Harden email and link security
Modern email security solutions—such as Secure Email Gateways or Microsoft Defender for Office 365—must be correctly configured, with URL and attachment scanning enabled. Special attention should be given to QR‑code–based phishing, which increasingly bypasses traditional user awareness.
Invest in continuous user awareness
Regular simulated phishing exercises and training help employees recognize fraudulent messages, even when they appear to come from trusted brands or internal colleagues. Emphasizing the risks of entering credentials after scanning QR codes or following unexpected links is particularly important.
Monitor account behavior and cloud activity
Security teams should configure alerts for logins from unusual geolocations, impossible travel scenarios, mass data downloads, and suspicious OAuth applications. Integrating these signals into a Security Information and Event Management (SIEM) or XDR platform allows faster detection and containment of compromised accounts.
The disruption of Raccoon0365 demonstrates that even well‑concealed phishing‑as‑a‑service platforms are vulnerable to coordinated action by technology providers and law‑enforcement agencies. However, as long as phishing remains a highly effective tool for cybercriminals, organizations must proactively strengthen their cloud security posture—reviewing access policies, investing in Microsoft 365 and email protection, and continuously raising staff awareness of evolving phishing techniques.
