Microsoft has shut down a cybercrime operation based in Nigeria that made over $100,000 by building and renting out fake Microsoft 365 login pages to scammers around the world.
The operation, known as RaccoonO365, was part of a growing trend called phishing-as-a-service (PhaaS), where cybercriminals create and lease sophisticated phishing tools to less tech-savvy fraudsters.
Since launching in July 2024, the platform has enabled a global network of criminals to steal login credentials by mimicking Microsoft-branded emails and websites.
In a coordinated legal and technical operation, Microsoft, along with cybersecurity firm Cloudflare, seized 338 websites used by RaccoonO365.
These websites were designed to look exactly like Microsoft login pages and were distributed through fake emails, malicious QR codes, and attachments.
According to Microsoft, more than 5,000 login credentials from users across 94 countries were stolen using this system.
The stolen information was likely sold on dark web forums or used in further scams such as business email compromise (BEC), a popular fraud technique in West Africa.
RaccoonO365 advertised its phishing tools through an invite-only Telegram channel with over 850 members.
The platform reportedly had between 100 and 200 active subscribers who paid for access to its phishing kits. These kits allowed users to select targets, send phishing links, and even track login attempts.
What makes this case particularly alarming is the low barrier to entry. Users of RaccoonO365 didn’t need advanced technical skills; all they had to do was pay a subscription fee to access powerful tools capable of fooling even cautious victims.
Microsoft’s Digital Crimes Unit (DCU) led the investigation, filing legal action in the US District Court to seize the domains and disrupt the group’s operations. However, experts warn that while this seizure is a win for cybersecurity, it is only a temporary disruption.
This development follows a similar case of how Nigerian tech startups, particularly those handling sensitive HR and financial data, are being targeted with phishing attacks.
The case highlights the urgent need for stronger cyber awareness, especially as cloud infrastructure is growing gradually in Nigeria. According to the Nigerian Computer Emergency Response Team (ngCERT), Nigerian-based cloud service providers are potential targets of Phobos ransomware attacks.
Generally, in Africa, cybercrime is increasing. Scam notifications have surged by nearly 3,000% in key African countries like Zambia, Egypt, and Kenya. The leading form of scam in these countries is phishing.
For African businesses, especially SMEs that rely on Microsoft products, cybersecurity needs to be a priority as phishing operations become easier to access and more difficult to detect.
