Cybercriminals are deploying a strikingly simple but highly effective optical illusion to impersonate Microsoft and steal user login credentials, according to security researchers tracking a new wave of phishing attacks. The campaign revolves around a deceptively crafted domain name — rnicrosoft.com — where the combination of the letters “r” and “n” mimics the appearance of an “m,” particularly in common digital fonts.
The technique is known as typosquatting, and it exploits the way modern screens render characters — as well as the tendency of the human brain to autocorrect familiar words. “You look at it quickly, and you swear you’re seeing ‘m,’ not ‘r-n’,” said Harley Sugarman, CEO of the cybersecurity firm Anagram, who recently flagged the scheme.
Algoritha Prepares You for Seamless DPDP Compliance — Contact Us for Complete Implementation Support
A Deception Built on Visual Predictability
Phishing emails using the “rnicrosoft.com” domain mirror official Microsoft notifications down to the formatting, color palette and tone. The goal is straightforward: trick recipients into clicking links or entering credentials on counterfeit login pages.
On high-resolution monitors, a careful user may notice the discrepancy. But on mobile devices — where URL bars truncate text and characters blend more easily — the illusion becomes extremely convincing. Cybercriminals are betting on that split-second misreading.
The domain has already been linked to credential-harvesting pages, vendor invoice scams, HR impersonation attacks and message threads posing as legitimate password-reset prompts. Once credentials are harvested, attackers can pivot into internal systems, steal sensitive files or conduct financial fraud.
Beyond ‘rn’: A Whole Toolkit of Visual Cheats
The “rn for m” swap is only one part of a broader family of homoglyph and typosquatting attacks, where attackers build copycat domains that look identical to trusted corporate names.
Other common variants include:
-
micros0ft(.)com — where the letter “o” is replaced with a zero
-
microsoft-support(.)com — adding hyphens and support-sounding terms
-
microsoft(.)co — substituting the .com top-level domain with .co
-
rnicrosoft-login(.)com — chaining multiple visual deceptions
These look-alike domains often survive for weeks before takedown, especially when hosted through offshore registrars or using bulletproof infrastructure.
Phishing Filters Can’t Catch Everything
While email providers and browsers have improved detection, security experts warn that no automated system can reliably detect every form of typosquatting. Many of these domains are technically valid and do not initially host malware, making them difficult for filters to flag.
That leaves users — and organizations — as the first and last line of defense.
How Users Can Protect Themselves
Researchers suggest adopting behavioral safeguards rather than relying solely on automated warnings:
-
Expand and examine the full sender address before clicking anything
-
Hover over links (or long-press on mobile) to view the actual destination
-
Ignore in-email password reset prompts and instead visit the service manually
-
Check the “Reply-To” field to see if it redirects to a suspicious inbox
-
Avoid installing apps from email links, especially unsolicited “update” files
-
Enable phishing-resistant MFA (such as FIDO keys)
Organizations, meanwhile, are being urged to conduct regular phishing drills, especially focusing on visual deception and domain-based attacks.
As typosquatting domains continue to proliferate — capitalizing on everything from font kerning to human pattern-recognition — cybersecurity experts say vigilance is the only reliable defense. “The scammers are counting on the fact that your eyes will lie to you,” Sugarman said. “And most of the time, they do.”
