New Phishing Campaign Exploits "rnicrosoft.com" Typosquatting Trick
A sophisticated phishing campaign is leveraging a deceptive domain—rnicrosoft.com—to impersonate Microsoft and steal login credentials. The tactic relies on a visual trick: replacing the letter m with the letters r and n side by side, which appear nearly identical in many fonts, especially on mobile devices where URLs are often shortened.
Attackers mimic Microsoft’s branding, email layout, and tone to create a false sense of legitimacy, increasing the likelihood of victims clicking malicious links. The scam exploits how the human brain processes familiar words, filling in gaps automatically rather than scrutinizing each letter. Mobile users are particularly vulnerable due to smaller screens and limited space for close inspection.
Beyond rnicrosoft.com, cybercriminals employ multiple typosquatting variations, including:
- Number swapping (e.g., micros0ft.com)
- Hyphenation (e.g., microsoft-support.com)
- TLD switching (e.g., microsoft.co)
Once victims interact with these domains, attackers deploy follow-up scams such as credential phishing, fake HR notices, or fraudulent payment requests. The speed of these attacks reduces the chance of detection, making them highly effective.
This threat extends beyond Microsoft, targeting banks, retailers, healthcare portals, and government services. The campaign underscores the risks of automated trust in familiar branding and the challenges of spotting subtle URL manipulations, particularly on mobile devices.
Source: https://www.foxnews.com/tech/microsoft-typosquatting-scam-swaps-letters-steal-logins
Microsoft cybersecurity rating report: https://www.rankiteo.com/company/Microsoft
"id": "MIC1767116152",
"linkid": "Microsoft",
"type": "Cyber Attack",
"date": "12/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Unknown (Potentially Global)',
'industry': 'Software, Cloud Services',
'name': 'Microsoft (Impersonated)',
'type': 'Technology Company'}],
'attack_vector': 'Email',
'customer_advisories': 'Users advised to verify URLs, avoid clicking '
'suspicious links, and follow security best practices.',
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (Personally Identifiable '
'Information)',
'type_of_data_compromised': 'Login Credentials'},
'description': 'A new phishing campaign is exploiting a visual trick by using '
'the domain rnicrosoft.com to impersonate Microsoft and steal '
"login credentials. Attackers use the letters 'r' and 'n' side "
"by side to mimic the letter 'm', tricking users into trusting "
"the fraudulent domain. The emails closely copy Microsoft's "
'branding, layout, and tone to appear legitimate.',
'impact': {'brand_reputation_impact': 'Potential Erosion of Trust in '
'Microsoft Branding',
'data_compromised': 'Login Credentials',
'identity_theft_risk': 'High'},
'initial_access_broker': {'entry_point': 'Phishing Email'},
'lessons_learned': 'Typosquatting attacks exploit human behavior and visual '
'perception, particularly on mobile devices. Users must '
'verify URLs carefully, avoid clicking email links for '
'sensitive actions, and rely on bookmarks for critical '
'accounts.',
'motivation': 'Credential Theft, Financial Gain',
'post_incident_analysis': {'corrective_actions': 'Public awareness campaigns, '
'security training, and '
'implementation of URL '
'verification tools.',
'root_causes': 'Exploitation of human visual '
'perception, mobile device '
'limitations, and trust in familiar '
'branding.'},
'recommendations': ['Expand the full sender address before clicking any '
'links.',
'Preview links before clicking (hover on desktop, '
'long-press on mobile).',
'Avoid using email links for password or security alerts; '
'manually navigate to official websites.',
'Use strong antivirus software to block known phishing '
'domains.',
'Check the Reply To field for hidden red flags.',
'Consider a data removal service to reduce targeting by '
'scammers.',
'Rely on saved bookmarks for critical accounts to avoid '
'mistyped URLs.'],
'references': [{'source': 'Fox News / CyberGuy Report',
'url': 'https://www.cyberguy.com'}],
'response': {'communication_strategy': 'Security Advisories, Public Awareness '
'Campaigns'},
'title': 'Phishing Campaign Exploiting rnicrosoft.com Typosquatting Domain',
'type': 'Phishing',
'vulnerability_exploited': 'Typosquatting (Visual Deception)'}