A sophisticated “homoglyph” phishing campaign targeting customers of Marriott International and Microsoft. Attackers are registering domains that replace the letter “m” with the combination “rn” (r + n), creating fake websites that look nearly identical to the real ones.
This technique, known as typosquatting or a homoglyph attack, exploits the way modern fonts display text. In many fonts, the letters “r” and “n” are placed next to each other (rn) look visually indistinguishable from the letter “m” (m).
Hackers rely on this visual trick to bypass your brain’s ability to spot errors. When you glance quickly at a URL like rnarriottinternational.com, your brain often “autocorrects” what it sees, assuming it says “Marriott”.
Security firm Netcraft recently identified a cluster of malicious domains attempting to impersonate the hotel giant. These domains are likely used to steal loyalty account credentials or personal guest data.
rnarriottinternational.com.rnarriotthotels.com to target specific hotel brands.Harley Sugarman, CEO of the security firm Anagram, highlighted a similar campaign targeting Microsoft users. Phishing emails in this campaign use the domain rnicrosoft.com to send fake security alerts or invoice notifications.
The following domains have been flagged as malicious. Security teams should block these immediately, and users should be wary of any links directing to them.
| Phishing Domain | Impersonated Service | Typosquatting Technique | Detection Difficulty |
|---|---|---|---|
rnarriottinternational.com |
Marriott International | ‘m’ replaced with ‘rn’ | Critical |
rnarriotthotels.com |
Marriott Hotels | ‘m’ replaced with ‘rn’ | Critical |
rnicrosoft.com |
Microsoft 365 / Login | ‘m’ replaced with ‘rn’ | High (Mobile) |
micros0ft.com |
Microsoft | ‘o’ replaced with ‘0’ | Medium |
microsoft-support.com |
Microsoft Support | Hyphenation / Suffix | Low |
marriott.com or microsoft.com yourself.rnicrosoft.com because it recognizes that the domain is different from the real one.
Powered by
