Attackers are exploiting a new typosquatting trick by swapping the letter “m” in microsoft.com with “rn”, creating a lookalike domain that is nearly indistinguishable at a glance.
What happened
According to Cybersecurity News, attackers are now replacing the ‘m’ in microsoft.com with ‘rn’. This typographical trick of placing ‘r’ and ‘n’ close to one another mimics the letter ‘m’, thus confusing the reader, allowing them to fall victim to cyberattacks such as credential phishing scams, internal HR impersonation campaigns, and vendor invoice scams.
Going deeper
The use of ‘rm’ is one variation that attackers are using to trick victims. Other variations include
- Number swapping: replacing the letter ‘o’ with zero (0; micos0ft.com)
- Hyphenation: microsoft-support.com. This adds a legitimate-sounding subdomains or suffix
- TLD Switching: Using microsoft.co instead of microsoft.com. This results in using a different top-level domain where the ‘m’ is dropped
The attack thrives on its subtleness and becomes even more acute on mobile devices, as the screen real estate is limited and the address bar often shortens the full URL. When using a high-resolution desktop monitor, an attentive observer might notice the discrepancy; however, the brain's tendency to anticipate text often conceals this anomaly.
In the know
This type of attack is known as typosquatting or URL hijacking. As Microsoft describes it, typosquatting is “when people - often criminals - register a common misspelling of another organization's domain as their own.”
To prevent this type of attack, Microsoft suggests:
- “Whenever possible go to your important sites like banking, social media, or shopping from your own saved favorites, rather than by typing them into the address bar of the browser each time.
- If you do have to type an address into the address bar, type carefully and double-check that what you typed matches the address you intended to go to before you continue.
- If you're typing in an address you've gone to before, your browser may offer to complete the address for you. Give it a quick look, but it's usually safer to accept that suggestion.
- Never click a link you weren't expecting in an email or other message, even if it appears to come from a trusted person or organization.
- If you have to click on a link, look carefully at the address it's going to take you to. Usually just hovering your mouse pointer over the address will show you what address the link will really take you to.”
Why it matters
Cybercriminals understand that users trust well-known brands like Microsoft and often don’t scrutinize URLs closely, especially when they’re busy, distracted, or using a small screen. By swapping characters in ways that look nearly identical, attackers create domains that appear legitimate at first glance, giving them a powerful foothold for social engineering.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQS
Why are users falling for these fake domains?
Most people don’t scrutinize URLs closely, and the brain tends to recognize familiar patterns automatically. This makes subtle changes easy to miss.
Are attackers only targeting Microsoft?
No. Typosquatting affects all major brands, including banking, e-commerce, social media, healthcare, and government platforms.
What should employees do if they suspect a typosquatting attack?
Report it immediately, avoid interacting with the site, and share the suspicious URL with the security team so it can be blocked organization-wide.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Tshedimoso Makhene
