A sophisticated phishing campaign is currently leveraging a subtle typographical trick to bypass user vigilance, deceiving victims into handing over sensitive login credentials. Attackers utilize the domain “rnicrosoft.com” to impersonate the tech giant.
By replacing the letter ‘m’ with the combination of ‘r’ and ‘n’, fraudsters create a visual doppleganger that is nearly indistinguishable from the legitimate domain at a casual glance.
This technique, known as typosquatting, relies heavily on the font rendering used in modern email clients and web browsers.
When placed closely together, the kerning between ‘r’ and ‘n’ often mimics the structure of the letter ‘m’, fooling the brain into autocorrecting the error.
Harley Sugarman, CEO of Anagram, recently highlighted this specific vector, noting that the emails often mirror the official logo, layout, and tone of legitimate Microsoft correspondence.
Visual Deception to Steal Logins
The effectiveness of this attack vector lies in its subtlety. On high-resolution desktop monitors, the discrepancy might be visible to a keen observer, but the brain’s tendency to predict text often masks the anomaly.
The threat becomes even more acute on mobile devices, where screen real estate is limited, and the address bar often truncates the full URL. Attackers exploit this by registering these look-alike domains to facilitate credential phishing, vendor invoice scams, and internal HR impersonation campaigns.
Once the user is convinced the email is from a trusted entity, they are more likely to click on malicious links or download weaponized attachments.
The “rn” swap is just one of several variations attackers use. Other common tactics include swapping the letter ‘o’ for a zero or adding hyphens to legitimate brand names to create a sense of authenticity.
Defending against these homoglyph and typosquatting attacks requires a shift in user behavior rather than relying solely on automated filters. Security experts advise that users must expand the full sender address before interacting with any unsolicited email.
Hovering over hyperlinks to reveal the actual destination URL or long-pressing the link on mobile devices can expose the deception before a connection is made.
Furthermore, analyzing email headers, specifically the “Reply-To” field, can reveal if a scammer is routing responses to an external, uncontrolled inbox.
In scenarios involving unexpected password reset requests, the safest course of action is to ignore the email link entirely and navigate directly to the official service via a new browser tab.
Organizations are encouraged to rehearse these identification scenarios to stop teams from reflexively clicking on familiar-looking notifications.
Common Typosquatting Variations
TechniqueVisual ExampleDeception MethodLetter Combinationrnicrosoft(.)comUses ‘r’ and ‘n’ to mimic ‘m’.Number Swappingmicros0ft(.)comReplaces the letter ‘o’ with the number ‘0’.Hyphenationmicrosoft-support(.)comAdds legitimate-sounding subdomains or suffixes.TLD Switchingmicrosoft(.)coUses a different Top Level Domain (dropping the ‘m’).
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Hackers Replace ‘m’ with ‘rn’ in Microsoft(.)com to Steal Users’ Login Credentials appeared first on Cyber Security News.
