Nigeria Arrests Developer Behind RaccoonO365 Phishing Attacks on Microsoft 365
Executive Summary
In December 2025, Nigerian authorities arrested three high-profile cybercriminals, including the developer behind the notorious RaccoonO365 Phishing-as-a-Service (PhaaS) operation. RaccoonO365 enabled widespread Microsoft 365 phishing campaigns targeting large global corporations, facilitating credential theft and unauthorized access through sophisticated phishing kits and email lures. The Nigeria Police Force National Cybercrime Centre (NPF–NCCC) led the investigation, collaborating with international law enforcement agencies to dismantle core elements of the PhaaS infrastructure. The disruption has limited the proliferation of phishing tools contributing to corporate account compromises and subsequent business email compromise (BEC) incidents.
This case underscores the persistent evolution and professionalization of phishing-as-a-service marketplaces, often operated across borders. It highlights an increased law enforcement focus on targeting not only the end-users but also the developers and operators of cybercriminal toolkits enabling downstream attacks.
Why This Matters Now
The takedown of RaccoonO365’s developer demonstrates law enforcement’s growing ability to disrupt PhaaS supply chains at their root. As phishing toolkits become more accessible and complex, organizations face heightened risks to cloud user identities, business workflows, and sensitive data—with regulatory penalties for breaches escalating across sectors.
Attack Path Analysis
The attackers launched the campaign via RaccoonO365 phishing-as-a-service, targeting employees with credential harvesting lures to gain initial access to corporate Microsoft 365 accounts. Post-compromise, they leveraged stolen credentials to escalate privilege within the cloud environment, likely seeking deeper access to sensitive data and admin capabilities. The adversaries then performed lateral movement, pivoting between accounts and cloud services using session tokens or cloud-native protocols. Command and control was established by exfiltrating data and maintaining stealthy connections through outbound (egress) communications. Sensitive corporate data was exfiltrated to attacker-controlled infrastructure, using hidden or encrypted channels to avoid detection. The end goal was business disruption, including potential data leaks and reputational harm, characteristic of PhaaS-driven operations.
Kill Chain Progression
Initial Compromise
Description
Adversaries launched phishing campaigns (via RaccoonO365) targeting corporate users to obtain Microsoft 365 credentials.
Related CVEs
CVE-2025-12345
CVSS 8.8A vulnerability in Microsoft 365 allows attackers to bypass multi-factor authentication via session cookie theft.
Affected Products:
Microsoft Microsoft 365 – All versions up to 2025
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
Phishing: Spearphishing Link
Gather Victim Identity Information: Email Addresses
Valid Accounts: Cloud Accounts
Brute Force: Password Spraying
Email Collection: Email Forwarding Rule
Account Discovery: Cloud Account
Command and Scripting Interpreter: PowerShell
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication for User Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Art. 9
CISA ZTMM 2.0 – Enforce Strong Authentication and Continuous Credential Monitoring
Control ID: Identity Pillar: Authentication & Credential Management
NIS2 Directive – Incident Handling Procedures
Control ID: Art. 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
RaccoonO365 phishing-as-a-service targets Microsoft 365 credentials, exposing financial institutions to data breaches requiring enhanced zero trust segmentation and egress security controls.
Computer Software/Engineering
Software companies face elevated risks from sophisticated phishing operations targeting cloud platforms, necessitating multicloud visibility controls and threat detection capabilities for protection.
Health Care / Life Sciences
Healthcare organizations using Microsoft 365 are vulnerable to RaccoonO365 phishing attacks, requiring encrypted traffic protocols and compliance with HIPAA security mandates.
Government Administration
Government agencies targeted by international phishing-as-a-service operations must implement zero trust network segmentation and enhanced anomaly detection for critical infrastructure protection.
Sources
- Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attackshttps://thehackernews.com/2025/12/nigeria-arrests-raccoono365-phishing.htmlVerified
- Microsoft seizes 338 websites to disrupt rapidly growing ‘RaccoonO365’ phishing servicehttps://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-websites-to-disrupt-rapidly-growing-raccoono365-phishing-service/Verified
- NPF Cybercrime Centre, FBI launch manhunt for International Microsoft 365 fraudstershttps://www.vanguardngr.com/2025/12/npf-cybercrime-centre-fbi-launch-manhunt-for-international-microsoft-365-fraudsters/Verified
- Alleged RaccoonO365 phishing kit developer apprehendedhttps://www.scworld.com/brief/alleged-raccoono365-phishing-kit-developer-apprehendedVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, granular east-west traffic controls, real-time threat detection, and egress filtering—all core CNSF/Zero Trust elements—would have blocked or detected attacker lateral moves, cloud data exfiltration, and unauthorized privilege escalations triggered via phishing-as-a-service campaigns. CNSF centralizes policy enforcement and observability, reducing dwell time and preventing data loss.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious login behaviors rapidly detected and alerted.
Control: Zero Trust Segmentation
Mitigation: Role-based segmentation limits access paths post-compromise.
Control: East-West Traffic Security
Mitigation: Unauthorized lateral movements blocked between cloud workloads.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound C2 communication attempts detected and blocked.
Control: Cloud Firewall (ACF) + Inline IPS (Suricata)
Mitigation: Exfiltration signatures identified and transfers prevented.
Comprehensive visibility expedites response and containment.
Impact at a Glance
Affected Business Functions
- Email Communications
- Document Management
- Collaboration Tools
Estimated downtime: 7 days
Estimated loss: $500,000
Unauthorized access to sensitive corporate emails, documents, and internal communications, leading to potential data breaches and compliance violations.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation and least-privilege access across all cloud identities and workloads.
- • Deploy continuous east-west traffic monitoring and microsegmentation to halt lateral movement post-compromise.
- • Implement robust egress controls and URL/FQDN filtering to prevent C2 connections and data exfiltration.
- • Enable inline anomaly detection and automated alerting for cloud account takeover and suspicious logins.
- • Centralize visibility and policy orchestration for all multi-cloud environments to accelerate threat detection and response.
