CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare

First reported
Last updated
3 unique sources, 5 articles

Summary

Hide ▲

The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. Authorities in Nigeria have arrested three individuals linked to the RaccoonO365 phishing-as-a-service (PhaaS) scheme, including Okitipi Samuel, also known as Moses Felix, identified as the principal suspect and developer of the phishing infrastructure. The Nigeria Police Force National Cybercrime Centre (NPF–NCCC) collaborated with Microsoft and the FBI in the investigation, seizing laptops, mobile devices, and other digital equipment linked to the operation. The stolen data was used to fuel more cybercrimes, including business email compromise, financial fraud, and ransomware attacks. The Nigerian police arrested three individuals linked to targeted Microsoft 365 cyberattacks via Raccoon0365 phishing platform. The attacks led to business email compromise, data breaches, and financial losses affecting organizations worldwide. The law enforcement operation was possible thanks to intelligence from Microsoft, shared with the Nigeria Police Force National Cybercrime Centre (NPF–NCCC) via the FBI. The authorities identified individuals who administered the phishing toolkit 'Raccoon0365,' which automated the creation of fake Microsoft login pages for credential theft. The service, which was responsible for at least 5,000 Microsoft 365 account compromises across 94 countries, was disrupted by Microsoft and Cloudflare last September. It is unclear if the disruption operation helped identify those behind Raccoon0365 in Nigeria. One of the arrested suspects is an individual named Okitipi Samuel, also known online as 'RaccoonO365' and 'Moses Felix,' whom the police believe is the developer of the phishing platform. Samuel operated a Telegram channel where he sold phishing kits to other cybercriminals in exchange for cryptocurrency, while he also hosted the phishing pages on Cloudflare using accounts registered with compromised credentials. The Telegram channel counted over 800 members around the time of the disruption, and the reported access fees ranged from $355/month to $999/3 months. Cloudflare estimates that the service is used primarily by Russia-based cybercriminals. Regarding the other two arrested individuals, the police stated they have no evidence linking them to the Raccoon0365 operation or creation. The person that Microsoft previously identified as the leader of the phishing service, Joshua Ogundipe, is not mentioned in the police’s announcement.

Timeline

  1. 17.09.2025 07:31 5 articles · 3mo ago

    RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare

    RaccoonO365 phishing kits were advertised with an annual subscription fee of $600, as well as discounted options for 30- and 60-day licenses. RaccoonO365 advertised a new AI-powered service titled 'RaccoonO365 AI-MailCheck'. RaccoonO365 phishing emails impersonated trusted brands or organizations within the targeted company, using familiar workplace themes to exploit trust and create urgency. RaccoonO365 phishing emails incorporated the recipient's name into links or attachments to enhance credibility. RaccoonO365 used file names designed to mimic routine communications, such as finance or HR documents, policy agreements, contracts, and invoices. Cloudflare executed a three-day 'rugpull' against RaccoonO365, banning all identified domains, placing interstitial 'phish warning' pages, terminating associated Workers scripts, and suspending user accounts to prevent re-registration. Authorities in Nigeria have arrested three individuals linked to the RaccoonO365 phishing-as-a-service (PhaaS) scheme, including Okitipi Samuel, identified as the principal suspect and developer of the phishing infrastructure. The Nigeria Police Force National Cybercrime Centre (NPF–NCCC) collaborated with Microsoft and the FBI in the investigation, seizing digital equipment linked to the operation. The stolen data was used to fuel further cybercrimes, including business email compromise, financial fraud, and ransomware attacks. The Nigerian police arrested three individuals linked to targeted Microsoft 365 cyberattacks via Raccoon0365 phishing platform. The attacks led to business email compromise, data breaches, and financial losses affecting organizations worldwide. The law enforcement operation was possible thanks to intelligence from Microsoft, shared with the Nigeria Police Force National Cybercrime Centre (NPF–NCCC) via the FBI. The authorities identified individuals who administered the phishing toolkit 'Raccoon0365,' which automated the creation of fake Microsoft login pages for credential theft. The service, which was responsible for at least 5,000 Microsoft 365 account compromises across 94 countries, was disrupted by Microsoft and Cloudflare last September. It is unclear if the disruption operation helped identify those behind Raccoon0365 in Nigeria. One of the arrested suspects is an individual named Okitipi Samuel, also known online as 'RaccoonO365' and 'Moses Felix,' whom the police believe is the developer of the phishing platform. Samuel operated a Telegram channel where he sold phishing kits to other cybercriminals in exchange for cryptocurrency, while he also hosted the phishing pages on Cloudflare using accounts registered with compromised credentials. The Telegram channel counted over 800 members around the time of the disruption, and the reported access fees ranged from $355/month to $999/3 months. Cloudflare estimates that the service is used primarily by Russia-based cybercriminals. Regarding the other two arrested individuals, the police stated they have no evidence linking them to the Raccoon0365 operation or creation. The person that Microsoft previously identified as the leader of the phishing service, Joshua Ogundipe, is not mentioned in the police’s announcement.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

OAuth Device Code Phishing Campaigns Target Microsoft 365 Accounts

A surge in phishing campaigns exploiting Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. Organizations are advised to strengthen OAuth controls and train users to avoid entering device codes from untrusted sources. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges.

Open in new tab

Princeton University Database Compromised in Phishing Attack

On November 10, 2025, Princeton University suffered a data breach after a phishing attack targeted an employee. The breach exposed personal information of alumni, donors, faculty, and students, including names, email addresses, phone numbers, and home and business addresses. The compromised database did not contain financial information, credentials, or records protected by privacy regulations. The university has since blocked the attackers' access and advised affected individuals to be cautious of phishing attempts. On November 18, 2025, Harvard University experienced a similar data breach due to a voice phishing attack. The breach exposed personal information of students, alumni, donors, staff, and faculty members. The compromised systems did not contain Social Security numbers, passwords, payment card information, or financial information. Harvard is working with law enforcement and third-party cybersecurity experts to investigate the incident and has sent data breach notifications to affected individuals. The breach was discovered on November 18, 2025, and involved unauthorized access to systems used by Harvard's Alumni Affairs and Development department. Harvard University is also one of the many victims of the recent Oracle E-Business Suite hacking campaign.

Open in new tab

ShinyHunters Breach Affects Checkout.com Legacy Cloud Storage

Checkout.com, a global payment processing firm, disclosed a data breach involving a legacy cloud storage system compromised by the ShinyHunters threat group. The breach affected less than 25% of its current merchant base and included data from 2020 and earlier. The company refused to pay the ransom and instead plans to donate the amount to cybersecurity research at Carnegie Mellon University and the University of Oxford Cyber Security Center. The compromised data includes internal operational documents and onboarding materials. ShinyHunters is known for exploiting vulnerabilities and using social engineering tactics to extort large organizations.

Open in new tab

SesameOp malware leverages OpenAI Assistants API for command-and-control

A new backdoor malware, SesameOp, uses the OpenAI Assistants API as a covert command-and-control channel. The malware was discovered during an investigation into a July 2025 cyberattack. It allowed attackers to gain persistent access to compromised environments and remotely manage backdoored devices for several months. The attackers leveraged legitimate cloud services, avoiding detection and traditional incident response measures. The malware employs a combination of symmetric and asymmetric encryption to secure communications. It uses a heavily obfuscated loader and a .NET-based backdoor deployed through .NET AppDomainManager injection into Microsoft Visual Studio utilities. The attack chain includes internal web shells and malicious processes designed for long-term espionage. The malware uses a loader component named "Netapi64.dll" and a .NET-based backdoor named "OpenAIAgent.Netapi64". The malware supports three types of values in the description field of the Assistants list retrieved from OpenAI: SLEEP, Payload, and Result. Microsoft and OpenAI collaborated to investigate the abuse of the API, leading to the disabling of the account and API key used in the attacks. The malware does not exploit a vulnerability in OpenAI's platform but misuses built-in capabilities of the Assistants API. The OpenAI Assistants API is scheduled for deprecation in August 2026 and will be replaced by a new Responses API.

Open in new tab

SIM-box operation dismantled, enabling global telecom fraud

European law enforcement dismantled a sophisticated cybercrime-as-a-service (CaaS) platform that operated a SIM farm, enabling over 49 million fake online accounts and facilitating over 3,200 fraud cases resulting in at least 4.5 million euros in losses. The service provided phone numbers for various telecommunication crimes, including phishing, investment fraud, impersonation, extortion, migrant smuggling, and the distribution of child sexual abuse material (CSAM). The operation, codenamed 'SIMCARTEL,' involved multiple countries and seized significant infrastructure and assets. The SIM-box service operated through two websites, gogetsms.com and apisim.com, which have been seized. The service rented out phone numbers registered in over 80 countries, enabling the creation of fraudulent online accounts. The operation resulted in the arrest of seven individuals, including five Latvian nationals, and the seizure of 1,200 SIM-box devices, 40,000 SIM cards, five servers, and luxury vehicles. Financial assets totaling EUR 431,000 and $333,000 in crypto were also frozen. The operation's main raids occurred during an action day in Latvia on October 10, where 26 searches were carried out and five Latvian nationals were arrested. Three suspects were subject to a non-custodial security measure and a court imposed a security measure on a man born in 1982. Latvian law enforcement shared footage of a raid on a workspace packed with computer hardware, specialized equipment and large quantities of SIM cards.

Open in new tab