Hackers Exploit ‘rn’ Typo Trick to Impersonate Microsoft and Marriott in Sophisticated Phishing Campaign

CyberDefender 4 mins0

Cybercriminals are exploiting a visual typo trick known in cybersecurity as typosquatting or a homoglyph attack — replacing the letter “m” with the two letters “r” + “n” (“rn”) in domain names to make malicious URLs look legitimate at a quick glance. Because in many fonts the sequence “rn” appears almost identical to “m,” users often fail to notice the difference and trust the fake site.

Targeted Brands

Microsoft
Threat actors are using domains like rnicrosoft.com that visually mimic microsoft.com to trick users into thinking they are on official Microsoft login or service pages. These fake sites are designed to capture credentials.

Marriott International
Attackers have also registered lookalike domains such as rnarriottinternational.com and related variants to impersonate Marriott’s official site — likely to steal loyalty account access, personal data, or reservation information.

Why This Trick Works

  • Human brains tend to auto-correct familiar patterns, especially when glancing at a URL quickly — leading users to read “rn” as “m” without noticing the swap.
  • On mobile devices, address bars are short and the font is small, making the subtle switch even harder to detect.
  • Attackers often embed these URLs in seemingly legitimate emails or text messages using official branding and visual elements to lend credibility.

What the Threat Actors Want

Once a victim enters their login information on a fake site, attackers can:

  • Steal credentials (usernames/passwords)
  • Access or take over accounts
  • Move laterally into corporate systems (if business credentials are compromised)
  • Launch follow-on attacks (like phishing others from a compromised account)

How to Stay Safe

Be cautious with links:

  • Hover over: On a computer, hover your cursor over links to see the true destination URL before clicking.
  • Long-press on mobile: Before opening a link, long-press it to preview the URL.
  • Use bookmarks: Access critical sites (Microsoft, travel portals, banking) via saved bookmarks rather than links in emails or messages.

Check URLs carefully:

  • Look for subtle misspellings like “rn” instead of “m”, odd domain extensions, extra subdomains, or unfamiliar patterns.

Use strong authentication:

  • Multi-factor authentication (MFA) can help reduce the risk even if credentials are compromised (though not foolproof).

Security tools:

  • Anti-phishing solutions, AI-driven filters, and endpoint protection tools can catch these deceptive URLs before they reach users’ inboxes.

Broader Context

This isn’t an isolated tactic — Microsoft is among the most impersonated brands in phishing attacks generally, with attackers constantly innovating new tricks to fool users into disclosing credentials.

CyberDefender