Hackers Use ‘rn’ Typo Trick to Impersonate Marriott in New Phishing Attack

A sophisticated “homoglyph” phishing campaign targeting customers of Marriott International and Microsoft. Attackers are registering domains that replace the letter “m” with the combination “rn” (r + n), creating fake websites that look nearly identical to the real ones.

This technique, known as typosquatting or a homoglyph attack, exploits the way modern fonts display text. In many fonts, the letters “r” and “n” are placed next to each other (rn) look visually indistinguishable from the letter “m” (m).

Hackers rely on this visual trick to bypass your brain’s ability to spot errors. When you glance quickly at a URL like rnarriottinternational.com, your brain often “autocorrects” what it sees, assuming it says “Marriott”.

Recent Campaigns Identified

Marriott International Targeted

Security firm Netcraft recently identified a cluster of malicious domains attempting to impersonate the hotel giant. These domains are likely used to steal loyalty account credentials or personal guest data.

• The primary domain identified is rnarriottinternational.com.
• Attackers have also registered variations like rnarriotthotels.com to target specific hotel brands.

Microsoft Users Under Fire

Harley Sugarman, CEO of the security firm Anagram, highlighted a similar campaign targeting Microsoft users. Phishing emails in this campaign use the domain rnicrosoft.com to send fake security alerts or invoice notifications.

• These emails mimic the official Microsoft logo, tone, and layout.
• The attack is particularly dangerous on mobile devices, where small screens make the “rn” vs. “m” difference almost impossible to see.

Indicators of Compromise (IOCs)

The following domains have been flagged as malicious. Security teams should block these immediately, and users should be wary of any links directing to them.

Phishing Domain	Impersonated Service	Typosquatting Technique	Detection Difficulty
rnarriottinternational.com	Marriott International	‘m’ replaced with ‘rn’	Critical
rnarriotthotels.com	Marriott Hotels	‘m’ replaced with ‘rn’	Critical
rnicrosoft.com	Microsoft 365 / Login	‘m’ replaced with ‘rn’	High (Mobile)
micros0ft.com	Microsoft	‘o’ replaced with ‘0’	Medium
microsoft-support.com	Microsoft Support	Hyphenation / Suffix	Low

How to Stay Safe

1. Expand the Sender Address: On mobile email apps, tap the sender’s name to reveal the full email address. Look closely for the “rn” trick.
2. Hover Before You Click: On a computer, hover your mouse cursor over links without clicking to see the actual destination URL.
3. Manual Entry: If you receive an urgent email about a hotel booking or account reset, do not click the link. Open a browser and type marriott.com or microsoft.com yourself.
4. Use Password Managers: A password manager will not auto-fill your credentials on a fake site like rnicrosoft.com because it recognizes that the domain is different from the real one.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Use ‘rn’ Typo Trick to Impersonate Marriott in New Phishing Attack appeared first on Cyber Security News.