Nigerian Authorities Arrest Raccoon0365 Phishing Platform Developer Linked to Microsoft 365 Attacks
Executive Summary
In December 2025, Nigerian authorities arrested three individuals linked to the Raccoon0365 phishing platform, which was responsible for widespread credential theft targeting Microsoft 365 users. The service enabled cybercriminals to create convincing fake Microsoft login pages, facilitating business email compromise, data breaches, and significant financial losses across 94 countries. The investigation and arrests were made possible through intelligence provided by Microsoft via the FBI, leading to the apprehension of the platform's alleged developer and the recovery of digital evidence. Raccoon0365 operated via a Telegram channel with over 800 members, selling access to the phishing kits for cryptocurrency and leveraging Cloudflare infrastructure with compromised credentials.
This incident is highly relevant as phishing-as-a-service (PhaaS) platforms continue to industrialize credential theft and make sophisticated attacks broadly accessible. The disruption of Raccoon0365 illustrates the importance of global collaboration, threat intelligence sharing, and proactive law enforcement action in curbing cybercrime.
Why This Matters Now
The rise of Phishing-as-a-Service offerings like Raccoon0365 lowers the barrier for cybercriminals worldwide, fueling a surge in account takeover and business email compromise. Targeted attacks on widely used platforms such as Microsoft 365 put sensitive business data at constant risk, underlining the immediate need for robust identity security, continuous user awareness, and stricter cloud access controls.
Attack Path Analysis
Attackers used sophisticated phishing kits to craft fraudulent Microsoft 365 login pages, luring victims to enter their credentials (Initial Compromise). With stolen credentials, attackers authenticated to Microsoft 365, accessing elevated or sensitive accounts (Privilege Escalation). They pivoted within SaaS/cloud environments, discovering further data and accounts (Lateral Movement). The adversaries maintained communication and orchestrated theft operations through remote C2 channels and Telegram (Command & Control). Data and sensitive information were exfiltrated from compromised accounts to attacker-controlled destinations (Exfiltration). The final impact included business email compromise, data breaches, and substantial financial losses for organizations (Impact).
Kill Chain Progression
Initial Compromise
Description
Attackers deployed the Raccoon0365 phishing platform to create and deliver convincing fake Microsoft 365 login pages, capturing user credentials at scale.
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
Phishing: Spearphishing Link
Establish Accounts: Email Account
Acquire Infrastructure: Web Services
Email Collection
Valid Accounts: Cloud Accounts
User Execution: Malicious Link
Credentials from Web Browsers
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for User Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management – Identification and Protection
Control ID: Art. 9(2)
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
CISA Zero Trust Maturity Model 2.0 – Identity Pillar: Phishing-resistant MFA
Control ID: Identity – Phishing Resistant Authentication
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Microsoft 365 phishing platform compromised 5,000 accounts across 94 countries, enabling business email compromise and financial fraud targeting banking operations.
Information Technology/IT
Raccoon0365 phishing-as-a-service exploited Microsoft 365 credentials, requiring enhanced zero trust segmentation and threat detection capabilities for IT infrastructure protection.
Government Administration
International phishing operation targeting Microsoft 365 accounts poses significant risks to government communications and sensitive administrative data across multiple nations.
Health Care / Life Sciences
Healthcare organizations using Microsoft 365 face HIPAA compliance violations from credential theft, requiring encrypted traffic and enhanced egress security controls.
Sources
- Nigeria arrests dev of Microsoft 365 'Raccoon0365' phishing platformhttps://www.bleepingcomputer.com/news/security/nigeria-arrests-dev-of-microsoft-365-raccoon0365-phishing-platform/Verified
- Microsoft seizes 338 websites to disrupt rapidly growing ‘RaccoonO365’ phishing servicehttps://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-websites-to-disrupt-rapidly-growing-raccoono365-phishing-service/Verified
- RaccoonO365 Phishing Network Dismantled as Microsoft, Cloudflare Take Down 338 Domainshttps://thehackernews.com/2025/09/raccoono365-phishing-network-shut-down.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust principles such as segmenting workloads, enforcing least privilege, monitoring traffic flows, and restricting egress could have disrupted attacker progression across multiple kill chain stages. CNSF controls—especially Zero Trust Segmentation, Egress Policy Enforcement, Threat Detection, and Multicloud Visibility—would have limited credential abuse, lateral movement, and data exfiltration.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound phishing campaigns and command traffic to malicious pages could be blocked.
Control: Zero Trust Segmentation
Mitigation: Isolates sensitive SaaS admin functions and constrains unauthorized access between cloud workloads.
Control: East-West Traffic Security
Mitigation: Detects and controls lateral movement attempts within and across cloud regions.
Control: Threat Detection & Anomaly Response
Mitigation: Unusual remote access or anomalous communication patterns are identified and alerted in real time.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound data transfers to unknown or risky destinations are blocked or alerted.
Centralized visibility provides early warning and limits the blast radius of impact.
Impact at a Glance
Affected Business Functions
- Email Communications
- Data Management
- Financial Transactions
Estimated downtime: 7 days
Estimated loss: $5,000,000
Unauthorized access to Microsoft 365 accounts led to business email compromise, data breaches, and potential exposure of sensitive information, including financial data and intellectual property.
Recommended Actions
Key Takeaways & Next Steps
- • Strengthen egress filtering to block access to known phishing domains and restrict outbound traffic to only legitimate destinations.
- • Enforce Zero Trust Segmentation to minimize lateral movement and ensure least-privilege access between users and SaaS/cloud resources.
- • Deploy threat detection and anomaly response tooling capable of monitoring SaaS access patterns and alerting on suspicious behavior.
- • Enable comprehensive multicloud visibility to quickly discover and isolate compromised accounts or workloads across environments.
- • Regularly review and tighten identity and access policies to reduce risks from stolen credentials and privilege escalation attempts.
