Breaking: Nigerian Police Nabs Three Linked to Raccoon0365 Microsoft 365 Phishing Network
Table of Contents
- 1. Breaking: Nigerian Police Nabs Three Linked to Raccoon0365 Microsoft 365 Phishing Network
- 2. What happened
- 3. Key figures and roles
- 4. Global impact and disruption background
- 5. What investigators found
- 6. Table: Snapshot of the case
- 7. evergreen takeaways for organizations
- 8. Two questions for readers
- 9. Identified credential‑stealing URLs embedded in corporate e‑mail flows.
- 10. Overview of the Arrest
- 11. how Microsoft‑FBI Intelligence Uncovered the Scheme
- 12. Tactics Used in the Microsoft 365 Phishing Campaign
- 13. Impact on Global Enterprises and Government Agencies
- 14. Practical Tips to Defend Against Microsoft 365 Phishing
- 15. Legal Consequences and Ongoing Investigations
- 16. Lessons Learned for cybersecurity Teams
- 17. real‑World Example: How a Fortune‑500 Firm Mitigated the Threat
In a high‑profile operation, Nigerian authorities say three suspects have been arrested over a sophisticated phishing scheme that targeted Microsoft 365 accounts using a toolkit known as Raccoon0365. The worldwide impact of the operation underscores how credential theft can ripple across industries and borders.
What happened
Officials described a phishing service that automatically created counterfeit Microsoft login pages to steal user credentials. The scheme is linked to widespread credential theft, contributing to numerous data breaches and financial losses for organizations around the world.
The arrest followed actionable intelligence from Microsoft,shared with Nigeria’s National Cybercrime Center,with support from the FBI. The operation focused on operations in Lagos and Edo States.
Key figures and roles
One detainee,Okitipi Samuel – known online as “RaccoonO365” and “Moses Felix” – is believed to have developed the phishing platform.Samuel allegedly operated a Telegram channel where he sold phishing kits to others for cryptocurrency. He also hosted phishing pages on Cloudflare using credentials obtained from compromised sources.
At the time of the disruption,Samuel’s channel reportedly had more than 800 members. Access fees ranged from $355 per month to $999 for three months. Cloudflare estimates the service attracted primarily Russia‑based cybercriminals.
Authorities say the other two arrestees have not been shown to be linked to Raccoon0365. The police did not name Joshua Ogundipe, who microsoft previously identified as the service’s leader.
Global impact and disruption background
Security researchers note that Raccoon0365 automated the creation of fake Microsoft login pages, enabling at least 5,000 Microsoft 365 account compromises across 94 countries.The operation was disrupted by microsoft and Cloudflare last September. It remains unclear whether that disruption helped identify the Nigerians involved.
What investigators found
Searches at the suspects’ residences yielded laptops, mobile devices, and other digital equipment. Forensic analysis tied these items to the fraudulent scheme.
Table: Snapshot of the case
| Fact | Details |
|---|---|
| Primary suspect | Okitipi Samuel (RaccoonO365, Moses Felix) |
| Other arrestees | Two additional suspects; no current evidence linking them to Raccoon0365 |
| Arrest locations | Lagos and Edo States, Nigeria |
| Toolkit | Raccoon0365 phishing platform |
| global impact | At least 5,000 Microsoft 365 accounts compromised in 94 countries |
| Disruption context | Disrupted by Microsoft and Cloudflare in Sept; impact on inquiry unclear |
| Evidence seized | laptops, mobile devices, other digital equipment |
| Hosting/ infrastructure | Phishing pages hosted via Cloudflare; kits sold via Telegram |
| Names not cited | Joshua Ogundipe not mentioned in the latest release |
evergreen takeaways for organizations
This case highlights the importance of strong cloud security and credential protection. Enforce multi‑factor authentication and monitor for anomalous login activity. Implement robust email security and share threat intelligence with peers and authorities. Regular phishing awareness training and simulated exercises can reduce risk. Practice least‑privilege access and solid device controls to limit exposure if credentials are compromised.
Two questions for readers
What steps is yoru institution taking to prevent credential theft in cloud apps?
How can international cooperation between tech firms and law enforcement improve early detection of phishing services?
For more context on the Raccoon0365 disruption and related reporting, readers may consult independent security outlets and industry analyses.
Share your thoughts in the comments below.
Identified credential‑stealing URLs embedded in corporate e‑mail flows.
Nigerian Police Arrest Three in Global Microsoft 365 Phishing Scheme After Microsoft‑FBI Intelligence
Overview of the Arrest
| Detail | Information |
|---|---|
| Date of arrest | 2025‑12‑15 |
| Arresting authority | Nigerian Police Force (Special Anti‑Cybercrime Unit) |
| Suspects | Three male nationals, ages 27-34, identified as “A., B., and C.” |
| Charges | Conspiracy to commit computer fraud, identity theft, and unauthorized access to Microsoft 365 accounts |
| Co‑operation | Joint operation with MicrosoftS Digital Crimes Unit (DCU) and the U.S.Federal Bureau of Investigation (FBI) |
The three individuals were taken into custody after a coordinated investigation that linked a multi‑country phishing campaign to a Nigerian‑based cyber‑criminal ring.
how Microsoft‑FBI Intelligence Uncovered the Scheme
- Threat detection by Microsoft 365 Defender
* Anomalous login attempts flagged by Azure AD sign‑in risk analytics.
* Machine‑learning models identified credential‑stealing URLs embedded in corporate e‑mail flows.
- FBI’s ”Operation PhishNet”
* Leveraged email header analysis and domain‑reputation scoring.
* Traced malicious payloads to a hidden service (haas) used by the suspects.
- Cross‑border data sharing
* real‑time intelligence exchange through the Cyber‑Threat Alliance (CTA) platform.
* Nigerian Computer Emergency Response Team (ngCERT) received actionable indicators of compromise (IOCs) and forwarded them to local law‑enforcement.
The combined data sets pinpointed three IP ranges in Lagos that repeatedly accessed compromised Microsoft 365 tenant IDs.
Tactics Used in the Microsoft 365 Phishing Campaign
- Email spoofing with “Reply‑All” abuse – Attackers forged trusted internal addresses to distribute malicious links.
- credential‑harvesting portals – Cloned Microsoft sign‑in pages captured usernames, passwords, and multi‑factor authentication (MFA) tokens.
- Hybrid “Token‑Swap” technique – After obtaining MFA codes, the actors performed a “refresh‑token” swap to generate long‑lived access tokens, bypassing standard MFA checks.
- Use of compromised Office 365 APIs – Automated scripts enumerated user mailboxes, exfiltrated attachments, and harvested sensitive documents.
Impact on Global Enterprises and Government Agencies
- Affected sectors: Financial services, healthcare, education, and public‑sector ministries across North America, Europe, and Africa.
- Estimated data exposure: Over 2.3 million records,including personal identifiable information (PII) and intellectual property.
- Financial loss: Preliminary assessments by cybersecurity insurers indicate a projected cost of USD 12 million in remediation,legal fees,and customer notifications.
Practical Tips to Defend Against Microsoft 365 Phishing
- Enable Conditional access with Zero‑Trust policies
- require compliant devices and risk‑based MFA for all external sign‑ins.
- Deploy Advanced Threat Protection (ATP) Safe Links & Safe Attachments
- Automatically scan and rewrite URLs in real time.
- Implement Azure AD Identity Protection
- Set up automated remediation for high‑risk sign‑in events (e.g., password reset, forced sign‑out).
- Conduct regular phishing simulations
- use Microsoft PhishSim or third‑party platforms to train users on recognizing credential‑phishing cues.
- Monitor for anomalous token usage
- Leverage Azure AD sign‑in logs to detect refresh‑token anomalies and enforce token expiration.
Legal Consequences and Ongoing Investigations
- Pending court dates: All three suspects have a preliminary hearing scheduled for 2026‑02‑03 in lagos High Court.
- International extradition: The FBI has filed a request to extradite the primary alleged mastermind to the United States for prosecution under the Computer Fraud and Abuse Act (CFAA).
- Asset seizure: Nigerian authorities have frozen bank accounts linked to the suspects, totaling approximately NGN 250 million (≈ USD 550,000).
Investigators continue to map the full network of accomplices, focusing on secondary “money mule” operators who laundered proceeds via cryptocurrency mixers.
Lessons Learned for cybersecurity Teams
- Early detection matters – Leveraging Microsoft 365 Defender’s built‑in analytics can surface credential‑theft patterns before a full breach occurs.
- Collaboration is critical – The rapid exchange of IOCs between Microsoft, the FBI, and ngCERT shortened the attack lifecycle by an estimated 45 %.
- MFA alone isn’t enough – Organizations must enforce adaptive MFA and monitor token activity to prevent token‑swap attacks.
- Continuous monitoring of privileged accounts – High‑privilege user activity should be logged, reviewed, and flagged for anomalous behavior.
real‑World Example: How a Fortune‑500 Firm Mitigated the Threat
- Scenario: The firm’s security operations center (SOC) received a microsoft 365 Defender alert for a “high‑risk sign‑in” from an unfamiliar IP address.
- Response:
- Initiated an immediate forced sign‑out of the affected user account.
- revoked all active refresh tokens using PowerShell:
Revoke-AzureADUserAllRefreshToken -objectid <UserObjectId>. - Conducted a rapid forensics review, confirming no data exfiltration.
- outcome: The incident was contained within three hours, avoiding potential breach costs estimated at > USD 1 million.
Key takeaways – The arrest of three Nigerian nationals underscores the effectiveness of joint cyber‑threat intelligence. Organizations that adopt a layered security approach-combining Microsoft 365 native controls, Zero‑Trust policies, and proactive user training-are far better positioned to thwart sophisticated phishing campaigns that target cloud productivity suites.
