Nigeria arrests RaccoonO365 developer

Nigerian authorities, working with Microsoft and U.S. partners, have arrested suspects tied to RaccoonO365 (aka Storm-2246), a phishing-as-a-service (PhaaS) operation that stole thousands of Microsoft 365 credentials. The takedown of hundreds of malicious domains and this arrest are important wins, but PhaaS is resilient. In this post we explain what happened, why it matters for African organisations, and exactly what to do now.

• Microsoft’s Digital Crimes Unit and partners seized ~338 domains used by RaccoonO365, a PhaaS that has harvested 5,000+ Microsoft 365 credentials across dozens of countries.

• Nigeria’s National Cybercrime Centre (NPF–NCCC) arrested suspects after collaborative investigations with Microsoft, the FBI and US Secret Service. One arrested individual is alleged to be a core developer.

• Good news: infrastructure disruption + arrests increase operational cost for the criminals and reduce current threat activity. Reality check: PhaaS kits adapt fast; defenders must harden identity controls now.

What happened — a short timeline

1. July 2024 – Sep 2025: RaccoonO365 (Storm-2246) rapidly scaled, offering subscription phishing kits that mimic Microsoft 365 login flows and bypass some protections. Microsoft estimated thousands of stolen credentials.

2. September 2025: Microsoft DCU obtained a U.S. court order and seized 338 domains, disrupting the phishing infrastructure. Cloudflare and other partners supported takedown actions.

3. December 2025: Nigerian police carried out raids and arrested suspects tied to the operation (including an alleged developer), following collaboration with Microsoft and U.S. law-enforcement partners.

Why this matters to African organisations

1. Phishing is the top vector for account takeover. PhaaS lowers the skill barrier, enabling more attackers to target your staff with realistic Microsoft-branded lures. RaccoonO365 alone is linked to thousands of compromised credentials.

2. Supply-chain disruption works, but it’s not permanent. Domain seizures and arrests are huge tactical wins: they stop active campaigns and raise cost for criminals. But PhaaS operators pivot quickly (new domains, different hosting, Telegram/dark-web distribution). Expect re-emergence unless organisations strengthen identity controls

3. Nigeria’s cooperation mattered. This case shows that local law enforcement + international industry cooperation can produce arrests and takedowns, a model we must scale across Africa.

The Birdling’s technical read (what we observed)

• Tactics used by RaccoonO365: realistic HTML pages that replicate Microsoft 365 UX, fake CAPTCHA or session-trapping flows, techniques to harvest session cookies and device codes, and Telegram channels for distribution and sales. These kits sometimes included evasion techniques to bypass common email security filters and basic MFA setups.

• Impact profile: credential harvesting → account takeover → business email compromise (BEC) and data exfiltration. Targets included corporate, financial and healthcare organisations across multiple countries.

Immediate actions for CISOs / Security Ops (what to do in the next 72 hours)

1. Assume compromise; validate critical accounts. Prioritise admin, finance, legal and executive accounts for immediate review and session revocation. Force sign-out of active sessions for high-risk users.

2. Enforce phishing-resistant authentication: enable FIDO2 / security keys or certificate-based authentication for privileged users. If you only have OTP, move to stronger factors where possible. (Device-code and cookie harvesting can bypass weak MFA.)

3. Enable Conditional Access & risk-based policies: block legacy auth, require compliant devices, restrict access from high-risk geolocations, and require step-up for sensitive operations.

4. Rotate credentials and secrets exposed to Microsoft 365 integrations: update app secrets, service accounts, and connected third-party app permissions.

5. Hunt for IOCs: search logs for suspicious inbound phishing links, recent OAuth consent grants, anomalous mailbox forwarding rules, and session tokens originating from known malicious domains (Microsoft published lists after their seizure here The Official Microsoft Blog).

6. Run targeted phishing simulations & user briefings: use current Raccoon-style lures to test resilience, but ensure simulations are controlled and communicated to execs (See our Adversary Simulation service).

7. Contact your vendor & law enforcement: if you see confirmed compromises contact Microsoft Security, your incident response provider, and local law enforcement to coordinate takedown evidence.

Practical steps for employees and individuals

• Don’t click unexpected links in emails claiming to be Microsoft or tax authorities.

• Verify sign-in pages: check the URL, and use bookmarks for important services.

• Enable and use hardware security keys (FIDO2) where offered.

• If you suspect an account has been phished, change passwords, sign out other sessions, and inform IT immediately.

Indicator of Compromise (IOC) Pack — RaccoonO365 / Storm-2246

Important note: RaccoonO365 is a phishing-as-a-service (PhaaS) operation. Infrastructure changes rapidly. These indicators should be used for retrospective hunting, enrichment, and pattern matching, not as a one-time blocklist.

1. Known IOC Categories Observed in RaccoonO365 Campaigns

A. Domain & URL Patterns

RaccoonO365 campaigns relied heavily on short-lived domains designed to impersonate Microsoft 365 login flows.

Common characteristics:

• Recently registered domains (often <30 days old)

• Use of Microsoft-themed keywords combined with random strings

• Login paths mimicking Microsoft endpoints

Observed patterns (examples):

login[.]microsoftonline[.]secure-<random>.com
m365-auth[.]<randomstring>.net
account-security[.]office365-verify[.]com

Hunting tip:
Search for URLs containing combinations of:

• microsoft, office, m365, login, verify, auth

• Followed by uncommon TLDs or newly registered domains

B. Microsoft 365 Login Page Cloning Indicators

RaccoonO365 kits used pixel-perfect HTML clones of Microsoft 365 login pages.

Technical indicators:

• HTML titles identical to legitimate Microsoft login pages

• External JavaScript references hosted on non-Microsoft domains

• Fake CAPTCHA or “session verification” pages appearing after credential entry

Detection idea:
Flag login pages where:

• Page title matches Microsoft branding

• BUT page domain is not login.microsoftonline.com

2. Email-Based Indicators (Phishing Delivery)

Common Email Lure Themes

• “Unusual sign-in detected”

• “Microsoft 365 password expiration”

• “Secure document shared with you”

• “Action required: mailbox suspension”

Header & Delivery Traits

• Sender domains newly registered or parked

• SPF/DKIM passing, but DMARC alignment weak

• Use of URL shorteners or encoded redirect links

Hunting query idea (mail gateway):

subject CONTAINS ("Microsoft" OR "Office 365")
AND body CONTAINS ("verify" OR "sign-in" OR "secure")
AND url.domain NOT IN (microsoft.com, microsoftonline.com)

3. Identity & Account Compromise Indicators (Post-Phish)

RaccoonO365 campaigns frequently led to account takeover (ATO) rather than immediate malware execution.

A. Azure AD / Entra ID Signals

• Successful login followed by:

  • Creation of inbox rules

  • Addition of mailbox forwarding addresses

  • OAuth app consent grants not previously approved

• Sign-ins from:

  • New countries

  • Unfamiliar user agents

  • Anonymous or hosting providers

High-risk indicator:

Sign-in success → MFA satisfied → mailbox rule created within minutes

B. OAuth Abuse Indicators

Some victims reported malicious OAuth app consent following credential theft.

Watch for:

• New OAuth applications with:

  • Mail.Read

  • Mail.Send

  • User.Read.All

• App names that appear generic or Microsoft-like

4. Session & Token Abuse Indicators

RaccoonO365 kits harvest session cookies and tokens, allowing attackers to bypass weak MFA.

Indicators:

• Login sessions persisting after password reset

• Concurrent sessions from geographically distant locations

• Access without MFA challenge where MFA is normally enforced

Immediate response action:
Force global sign-out and revoke refresh tokens for affected users.

5. Recommended Detection Queries (Generic)

A. Suspicious Inbox Rules

Detect inbox rules that:
- Auto-forward emails externally
- Hide messages containing keywords like "invoice", "payment", "bank"

B. OAuth App Review

List all OAuth apps added in last 30 days
Filter for high-privilege scopes

C. Domain Age Correlation

Flag URLs clicked by users where domain age < 60 days

6. Defensive Actions (Mapped to These IOCs)

The Birdling’s Ongoing Tracking

The Birdling continues to:

• Track RaccoonO365 infrastructure resurrection attempts

• Monitor domain reuse and pattern mutation

• Enrich detections with Africa-specific threat context

• Publish updated IOC snapshots for our MDR and advisory clients

Clients on our intelligence-led MDR receive:

• Real-time alerts on re-emerging PhaaS infrastructure

• Automated correlation with identity and email telemetry

• Guided remediation playbooks

📩 Request the full machine-readable IOC pack (CSV / SIEM / SOAR formats): Request IOC pack

IOC packs are rear-view mirrors — valuable, but not enough alone.
The real defense against RaccoonO365-style threats is identity hardening + continuous monitoring + local threat intelligence. That’s where The Birdling focuses.

What The Birdling is doing (our services & offer)

1. Raccoon-style IOC & domain watch: we’ve ingested Microsoft DCU indicators related to RaccoonO365 into our STEM feed and are tracking residual domain resurrection and abuse patterns for victims. Clients receive near-real-time alerts.

2. Targeted threat hunts: we’re offering short engagements to search customer estates (mailboxes, identity logs, conditional-access events) for signs of credential harvesting and session capture.

3. Advisory on identity hardening: quick programs to enable phishing-resistant MFA, secure legacy authentication, and tighten third-party app permissions.

4. Public awareness & training: The Birdling will continue to publish technical briefs (with IOCs and detection queries) to raise baseline resilience.

If your organisation wants help prioritising actions or running a fast threat hunt, reach us at partner@thebirdling.com or book a free threat brief here.