Cybercriminals are leaning on a deceptively simple visual trick in a fresh typosquatting wave, swapping the letter “m” with the characters “rn” to create convincing lookalike domains that resemble trusted brands such as Microsoft and Marriott. Targets report phishing emails and fake login pages from addresses like rnicrosoft.com and rnarriottinternational.com that attempt to steal credentials, loyalty points, and payment details.
How the RN Swap Can Look Like an M in Many Fonts
In many fonts, “rn” blends into a shape nearly indistinguishable from “m,” especially on small screens or in bold type. That visual ambiguity is the point. Attackers register a domain containing “rn,” mirror a brand’s layout and logo, then send urgent messages—security alerts, invoice notices, password resets—to bait clicks. Unlike internationalized domain name homographs that rely on non-Latin characters, this is entirely ASCII, which makes it harder to filter and easier to miss at a glance.
Recent campaigns include fake Microsoft security notifications and Marriott loyalty-account messages. The lures look polished: correct color palettes, footers, even plausible ticket numbers. For Microsoft, the pretext often claims an unauthorized sign-in and prompts a “Keep my account secure” button that routes to the impostor domain. For Marriott, subjects dangle account changes, stays, or reward redemptions to pressure rapid action.
Why These Brands Are Prime Targets for Phishing
Microsoft remains one of the most impersonated brands globally, according to recurring analyses from email security vendors, because a single Microsoft 365 login can open the door to mailboxes, cloud storage, and collaboration data. Marriott and other hospitality chains hold high-value customer profiles and loyalty balances that can be monetized quickly. Attackers know the ROI: the FBI’s Internet Crime Complaint Center reports annual cybercrime losses exceeding $10B, with phishing among the most frequently reported threats.
Security researchers also note that mobile email clients conceal full sender details by default, making it easier for display-name spoofing and lookalike domains to slip by. When combined with the “rn” trick, a message that appears to be from Microsoft or Marriott can pass a casual visual check unless recipients expand the header or preview the link destination.
How to Spot and Stop Typosquatting Lookalike Domains
Type, don’t tap. If a message urges you to reset a password or review a reservation, manually enter the brand’s address in your browser or use a trusted bookmark. This sidesteps the entire trap.
Use a password manager. Most managers only autofill on exact, previously saved domains. If your login doesn’t autofill, treat that as a red flag and re-check the URL for “rn” substitutions or other subtle changes (extra characters, swapped letters, or unfamiliar top-level domains).
Expand the sender. Tap the sender name to reveal the full address and domain. On desktop, hover over links to preview the destination; on mobile, long-press to see the URL before opening. Look closely for “rn” standing in for “m.”
Examine the message quality. Professional phishing kits can look convincing, but inconsistencies still leak through: slightly off typography, inconsistently formatted dates or currency, mismatched regional spellings, and generic greetings in messages that should reference your exact name or last four digits of an account.
Turn on multifactor authentication. Even if you enter credentials on a fake site, a strong second factor (hardware key or authenticator app) can prevent account takeover.
What Security Teams and Brands Can Do to Reduce Risk
Pre-register high-risk lookalikes. For major brands, defensive domain registrations covering common swaps (m↔rn, l↔1, o↔0) reduce an attacker’s options. Include obvious combinations with and without hyphens and multiple top-level domains.
Enforce email authentication. Deploy SPF, DKIM, and DMARC at a reject policy and monitor alignment to cut down on spoofed messages. Implement MTA-STS and TLS-RPT for transport security and visibility, and consider BIMI to help recipients visually verify legitimate mail.
Hunt and block. Use threat intelligence feeds, brand-monitoring services, and certificate transparency logs to identify newly registered lookalikes quickly. Block at the secure email gateway and DNS layers, and file takedown requests with registrars and hosting providers.
Train for visual traps. Include “rn” impersonations in phishing simulations and teach staff to verify domains in a monospaced view, where the difference between “m” and “rn” is clearer. Emphasize the habit of navigating directly to accounts rather than following embedded links.
The Bottom Line on RN-Based Typosquatting Scams
The “rn” gambit works because it exploits how we read under time pressure. Slow down, verify the domain, and assume urgency is manufactured. With a few habits—typing addresses yourself, using a password manager, and checking the full sender—this clever optical illusion becomes just another failed phish.