Microsoft typosquatting scam swaps letters to steal logins

A new phishing campaign is exploiting a visual trick that’s easy to miss and hard to unsee once you know about it. Attackers use the rnicrosoft.com domain to impersonate Microsoft and steal login credentials. The trick is simple. Instead of the letter m, scammers place r and n next to each other. In many fonts, those letters are blurred and appear almost identical to the naked eye.

Security experts are sounding the alarm because this tactic works. These emails closely copy Microsoft’s branding, design, and tone, making them feel familiar and trustworthy. That false sense of legitimacy is usually all it takes to get a quick click before you realize something is wrong.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

MOST PARKED DOMAINS CAN NOW BE SCAMED AND MALWARE

Why your brain falls for the rn trick

This attack is based on how people read. Your brain predicts words instead of scanning each letter. When something looks familiar, you fill in the blanks automatically. On a large desktop monitor, an attentive reader might be able to spot the flaw. On a phone, the risk increases. The address bar often shortens URLs and the screen leaves little room for close inspection. That’s exactly where the attackers want you. Once trust is established, you are more likely to enter passwords, approve fake invoices, or download harmful attachments.

Common typo variations to watch out for

Attackers rarely rely on a single trick. They mix various visual deceptions to increase their odds.

Letter combinations

rnicrosoft.com
Use ryn together to imitate m

Number exchange

micros0ft.com
Replace the letter o with the number 0

Hipliation

microsoft-support.com
Add official-sounding words to appear legitimate

TLD change

microsoft.co
Use a different domain ending to look real.

What attackers do after clicking

Quatting domains like rnicrosoft.com are rarely used for a single purpose. Criminals reuse them in multiple scams. Common traces include credential phishingfake HR notices, and vendor payment requests. In all cases, the attacker benefits from speed. The faster you act, the less likely you will be to notice the mistake.

Why these fake domains still work

Most people don’t slow down to read URLs character by character. Familiar logos and language reinforce trust, especially during a busy work day. Mobile phone use makes this worse. Smaller screens, shortened links, and constant notifications create the perfect conditions for errors. This is not a problem unique to Microsoft. Banks, retailers, healthcare portals and government services face the same risk.

How to stay safe from typographic attacks

Typography scams work because they rush you into trusting what seems familiar. These steps slow down that time and help you detect fake domains before damage is done.

1) Expand the full sender address each time

Before you click anything, open the full sender address in the email header. Display names and logos are easy to fake, but domains tell the real story. Look carefully for swapped letters like rn instead of m, added hyphens, or strange domain endings. If the direction feels a little off, treat the message as hostile.

NETFLIX SUSPENSION SCAM TARGETS YOUR INBOX

2) Preview links before clicking

On a desktop computer, hover your mouse over the links to reveal the actual destination. On a phone, long-press the link to preview the URL. This simple pause often exposes lookalike domains designed to steal logins. If the link does not match the exact site you expect, do not continue.

3) Avoid email links for passwords or security alerts.

When an email claims that your account needs urgent action, do not use its links. Instead, open a new browser tab and manually go to the official website using a saved bookmark. Legitimate companies do not require you to act through surprise links, and this habit instantly eliminates most typosquatting attempts.

4) Use powerful antivirus software for added protection

Strong antivirus software can block known phishing domains, flag malicious downloads, and warn you before entering credentials on risky sites. While it can’t detect every new typographic trick, it adds an important safety net when human attention fails.

The best way to protect yourself from malicious links that install malware and potentially access your private information is to have powerful antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best antivirus protection winners of 2025 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.

5) Check the Reply To field for hidden red flags.

Even if the sender address appears correct, inspect the Reply To field. Many phishing campaigns send responses to external inboxes that have nothing to do with the actual company. A discrepancy here is a strong sign that the message is a scam.

HOLIDAY DELIVERIES AND FAKE TRACKING TEXTS: HOW SCAMMERS TRACK YOU

6) Consider a data deletion service to reduce segmentation

Typosquatting attacks often start with leaked or deleted contact data. A data removal service can help remove your personal information from data broker sites, reducing the number of fraudulent emails and targeted phishing attempts that arrive in your inbox.

While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already available on the web: Cyberguy.com.

7) Trust saved bookmarks for critical accounts

For email, banking, and work portals, use bookmarks that you created yourself. This eliminates the risk of misspelling addresses or trusting links in messages. It is one of the simplest and most effective defenses against attacks from similar domains.

CLICK HERE TO DOWNLOAD THE News APP

Kurt’s Key Takeaways

Typosquatting works because it targets human behavior, not software failures. A single swapped character can bypass filters and fool smart people in seconds. Knowing these tricks slows down attackers and puts you back in control. Consciousness turns a sophisticated scam into an obvious fake.

If a single letter can decide whether you get hacked, how carefully do you really read the links you rely on every day? Let us know by writing to us at Cyberguy.com.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

Copyright 2025 CyberGuy.com. All rights reserved.