Attackers are running a sophisticated typosquatting campaign that impersonates Microsoft and Marriott International by exploiting a visual trick: replacing the letter “m” with “rn” (r + n). In many fonts, “rn” looks nearly identical to “m,” making these domains appear legitimate at a glance.
How the Attack Works
- Typosquatting / Homoglyph attack:
- Example:
rnarriottinternational.comlooks likemarriottinternational.com. - Example:
rnicrosoft.comlooks likemicrosoft.com.
- Example:
- Psychological trick: Human eyes often autocorrect the typo, especially on mobile screens where differences are harder to spot.
- Delivery method:
- Fake websites steal loyalty credentials or Microsoft account logins.
- Phishing emails mimic official branding, logos, and tone.
Recent Campaigns
- Marriott International:
- Malicious domains:
rnarriottinternational.com,rnarriotthotels.com. - Goal: Steal loyalty program credentials and guest data.
- Malicious domains:
- Microsoft:
- Malicious domain:
rnicrosoft.com. - Used in phishing emails with fake security alerts and invoices.
- Particularly dangerous on mobile devices.
- Malicious domain:
Indicators of Compromise (IOCs)
| Phishing Domain | Impersonated Service | Technique | Detection Difficulty |
|---|---|---|---|
rnarriottinternational.com | Marriott Intl | “m” → “rn” | Critical |
rnarriotthotels.com | Marriott Hotels | “m” → “rn” | Critical |
rnicrosoft.com | Microsoft 365/Login | “m” → “rn” | High (Mobile) |
micros0ft.com | Microsoft | “o” → “0” | Medium |
microsoft-support.com | Microsoft Support | Hyphenation / suffix | Low |
Defensive Recommendations
- Expand sender address: On mobile, tap the sender name to reveal the full email.
- Hover before clicking: On desktop, hover over links to see the actual destination.
- Manual entry: Type
marriott.comormicrosoft.comdirectly into your browser. - Password managers: They won’t auto-fill credentials on fake domains.
- Block IOCs: Security teams should blacklist the flagged domains immediately.
Takeaway
This campaign shows how attackers exploit tiny visual differences in domain names to bypass human attention and trick users. With homoglyph attacks, vigilance is key: always verify URLs carefully
Leave a Reply