Paubox blog: HIPAA compliant email - easy setup, no portals or passcodes

Attackers are now using ‘rnicrosoft.com’ to trick victims

Written by Tshedimoso Makhene | November 30, 2025

Attackers are exploiting a new typosquatting trick by swapping the lettermin microsoft.com withrn”, creating a lookalike domain that is nearly indistinguishable at a glance.

 

What happened

According to Cybersecurity News, attackers are now replacing them’ in microsoft.com withrn’. This typographical trick of placingrandnclose to one another mimics the letterm’, thus confusing the reader, allowing them to fall victim to cyberattacks such as credential phishing scams, internal HR impersonation campaigns, and vendor invoice scams. 

 

Going deeper

The use ofrmis one variation that attackers are using to trick victims. Other variations include

  • Number swapping: replacing the letter ‘o’ with zero (0; micos0ft.com)
  • Hyphenation: microsoft-support.com. This adds a legitimate-sounding subdomains or suffix
  • TLD Switching: Using microsoft.co instead of microsoft.com. This results in using a different top-level domain where them’ is dropped

The attack thrives on its subtleness and becomes even more acute on mobile devices, as the screen real estate is limited and the address bar often shortens the full URL. When using a high-resolution desktop monitor, an attentive observer might notice the discrepancy; however, the brain's tendency to anticipate text often conceals this anomaly.

 

In the know

This type of attack is known as typosquatting or URL hijacking. As Microsoft describes it, typosquatting iswhen people - often criminals - register a common misspelling of another organization's domain as their own.”

To prevent this type of attack, Microsoft suggests:

  • “Whenever possible go to your important sites like banking, social media, or shopping from your own saved favorites, rather than by typing them into the address bar of the browser each time.
  • If you do have to type an address into the address bar, type carefully and double-check that what you typed matches the address you intended to go to before you continue.
  • If you're typing in an address you've gone to before, your browser may offer to complete the address for you. Give it a quick look, but it's usually safer to accept that suggestion.
  • Never click a link you weren't expecting in an email or other message, even if it appears to come from a trusted person or organization.
  • If you have to click on a link, look carefully at the address it's going to take you to. Usually just hovering your mouse pointer over the address will show you what address the link will really take you to.”

 

Why it matters 

Cybercriminals understand that users trust well-known brands like Microsoft and often don’t scrutinize URLs closely, especially when they’re busy, distracted, or using a small screen. By swapping characters in ways that look nearly identical, attackers create domains that appear legitimate at first glance, giving them a powerful foothold for social engineering.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

 

FAQS

Why are users falling for these fake domains?

Most people don’t scrutinize URLs closely, and the brain tends to recognize familiar patterns automatically. This makes subtle changes easy to miss.

 

Are attackers only targeting Microsoft?

No. Typosquatting affects all major brands, including banking, e-commerce, social media, healthcare, and government platforms.

 

What should employees do if they suspect a typosquatting attack?

Report it immediately, avoid interacting with the site, and share the suspicious URL with the security team so it can be blocked organization-wide.
View full post