RaccoonO365 / Storm-2246 subscription phishing ecosystem disrupted after credential theft at scale
Threat Actor Meta
Summary
Hide ▲
Show ▼
RaccoonO365 remains a phishing-as-a-service ecosystem tracked by Microsoft as Storm-2246, but the latest reporting adds Nigeria-based arrests tied to the operation. The Nigeria Police Force National Cybercrime Centre says investigators, working with Microsoft and the FBI, identified Okitipi Samuel / Moses Felix as the principal suspect and developer, and said he sold phishing links through Telegram and hosted fraudulent Microsoft 365 login portals on Cloudflare. The broader campaign is linked to theft of at least 5,000 Microsoft credentials from 94 countries since July 2024 and to business email compromise, data breaches, and financial losses across multiple jurisdictions.
Related Happenings
Code of conduct-themed Microsoft AiTM phishing campaign
Campaign
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
Code of conduct-themed Microsoft AiTM phishing campaign
CampaignAbout this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
Campaign
First: 24.04.2026 21:26
Last: 24.04.2026 21:26
Sources 1
About this happening:
The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
CampaignAbout this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
FBI-led takedown of W3LL phishing network
Law Enforcement
First: 13.04.2026 13:35
Last: 13.04.2026 13:35
Sources 1
About this happening:
**FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...
FBI-led takedown of W3LL phishing network
Law EnforcementAbout this happening: **FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...
Microsoft AiTM payroll pirate attack mitigation
Advisory/Mitigation
First: 10.04.2026 14:56
Last: 10.04.2026 14:56
Sources 1
About this happening:
**Microsoft** is urging defenders to harden **Microsoft 365** and related **HR workflows** against **AiTM**-driven payroll theft by requiring **phishing-resistant MFA**, blocking...
Microsoft AiTM payroll pirate attack mitigation
Advisory/MitigationAbout this happening: **Microsoft** is urging defenders to harden **Microsoft 365** and related **HR workflows** against **AiTM**-driven payroll theft by requiring **phishing-resistant MFA**, blocking...
Timeline
-
19.12.2025 12:26 1 articles · 5mo ago
Nigeria arrests RaccoonO365 phishing suspects
Legal Policy Action UpdateThe Nigeria Police Force National Cybercrime Centre arrested three high-profile internet fraud suspects in connection with the RaccoonO365 phishing infrastructure and identified Okitipi Samuel, also known as Moses Felix, as the principal suspect and developer. Investigators, working with Microsoft and the FBI, said he sold phishing links through a Telegram channel and hosted fraudulent Microsoft login portals on Cloudflare using stolen or fraudulently obtained email credentials.
Show sources
- Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks — thehackernews.com — 19.12.2025 12:26
-
17.09.2025 16:20 3 articles · 8mo ago
Microsoft and Cloudflare disrupt RaccoonO365 phishing service
Initial DisclosureMicrosoft and Cloudflare disrupted the RaccoonO365 Phishing-as-a-Service operation in early September 2025 by seizing 338 websites and Worker accounts linked to the service. Microsoft said the group, tracked as Storm-2246, had stolen at least 5,000 Microsoft credentials from 94 countries, and the operation had also run through a private Telegram channel with over 840 members and at least $100,000 in cryptocurrency payments. Microsoft later identified Joshua Ogundipe as the leader and said the stolen credentials, cookies, and other account data were reused for financial fraud, extortion, and follow-on access.
Show sources
- Microsoft and Cloudflare disrupt massive RaccoonO365 phishing service — www.bleepingcomputer.com — 17.09.2025 16:20
- Microsoft and Cloudflare disrupt massive RaccoonO365 phishing service — www.bleepingcomputer.com — 17.09.2025 16:20
- Microsoft Disrupts 'RaccoonO365' Phishing Service — www.darkreading.com — 17.09.2025 22:44