A sophisticated “homoglyph” phishing campaign targeting customers of Marriott International and Microsoft. Attackers are registering domains that replace the letter “m” with the combination “rn” (r + n), creating fake websites that look nearly identical to the real ones.
This technique, known as typosquatting or a homoglyph attack, exploits the way modern fonts display text. In many fonts, the letters “r” and “n” are placed next to each other (rn) look visually indistinguishable from the letter “m” (m).
Hackers rely on this visual trick to bypass your brain’s ability to spot errors. When you glance quickly at a URL like rnarriottinternational.com, your brain often “autocorrects” what it sees, assuming it says “Marriott”.
Recent Campaigns Identified
Marriott International Targeted
Security firm Netcraft recently identified a cluster of malicious domains attempting to impersonate the hotel giant. These domains are likely used to steal loyalty account credentials or personal guest data.
- The primary domain identified is
rnarriottinternational.com. - Attackers have also registered variations like
rnarriotthotels.comto target specific hotel brands.
Microsoft Users Under Fire
Harley Sugarman, CEO of the security firm Anagram, highlighted a similar campaign targeting Microsoft users. Phishing emails in this campaign use the domain rnicrosoft.com to send fake security alerts or invoice notifications.
- These emails mimic the official Microsoft logo, tone, and layout.
- The attack is particularly dangerous on mobile devices, where small screens make the “rn” vs. “m” difference almost impossible to see.
Indicators of Compromise (IOCs)
The following domains have been flagged as malicious. Security teams should block these immediately, and users should be wary of any links directing to them.
| Phishing Domain | Impersonated Service | Typosquatting Technique | Detection Difficulty |
|---|---|---|---|
rnarriottinternational.com |
Marriott International | ‘m’ replaced with ‘rn’ | Critical |
rnarriotthotels.com |
Marriott Hotels | ‘m’ replaced with ‘rn’ | Critical |
rnicrosoft.com |
Microsoft 365 / Login | ‘m’ replaced with ‘rn’ | High (Mobile) |
micros0ft.com |
Microsoft | ‘o’ replaced with ‘0’ | Medium |
microsoft-support.com |
Microsoft Support | Hyphenation / Suffix | Low |
How to Stay Safe
- Expand the Sender Address: On mobile email apps, tap the sender’s name to reveal the full email address. Look closely for the “rn” trick.
- Hover Before You Click: On a computer, hover your mouse cursor over links without clicking to see the actual destination URL.
- Manual Entry: If you receive an urgent email about a hotel booking or account reset, do not click the link. Open a browser and type
marriott.comormicrosoft.comyourself. - Use Password Managers: A password manager will not auto-fill your credentials on a fake site like
rnicrosoft.combecause it recognizes that the domain is different from the real one.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
