Microsoft typosquatting scam swaps letters to steal logins

NEWYou can now listen to Fox News articles!

A new phishing campaign is exploiting a visual trick that is easy to miss and hard to unsee once you know it. Attackers are using the domain rnicrosoft.com to impersonate Microsoft and steal login credentials. The trick is simple. Instead of the letter m, scammers place r and n side by side. In many fonts, those letters blur together and look almost identical to an m at a quick glance.

Security experts are sounding the alarm because this tactic works. These emails closely copy Microsoft branding, layout and tone, which makes them feel familiar and trustworthy. That false sense of legitimacy is often all it takes to get a quick click before you realize something is wrong.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter

MOST PARKED DOMAINS NOW PUSH SCAMS AND MALWARE

Why your brain falls for the rn trick

This attack relies on how people read. Your brain predicts words instead of scanning each letter. When something looks familiar, you fill in the gaps automatically. On a large desktop monitor, a careful reader might spot the flaw. On a phone, the risk jumps. The address bar often shortens URLs, and the screen leaves little room for close inspection. That is exactly where attackers want you. Once trust is established, you are more likely to enter passwords, approve fake invoices or download harmful attachments.

Common typosquatting variations to watch for

Attackers rarely rely on a single trick. They mix several visual deceptions to increase their odds.

Letter combinations

rnicrosoft.com
Uses r and n together to mimic m

Number swapping

micros0ft.com
Replaces the letter o with the number 0

Hyphenation

microsoft-support.com
Adds official-sounding words to look legitimate

TLD switching

microsoft.co
Uses a different domain ending to appear real

What attackers do after you click

Typosquatting domains like rnicrosoft.com are rarely used for a single purpose. Criminals reuse them across multiple scams. Common follow-ups include credential phishing, fake HR notices and vendor payment requests. In every case, the attacker benefits from speed. The faster you act, the less likely you are to notice the mistake.

Why these fake domains keep working

Most people do not slow down to read URLs character by character. Familiar logos and language reinforce trust, especially during a busy workday. Mobile use makes this worse. Smaller screens, shortened links and constant notifications create perfect conditions for mistakes. This is not a Microsoft-only problem. Banks, retailers, healthcare portals and government services all face the same risk.

How to stay safe from typosquatting attacks

Typosquatting scams work because they rush you into trusting what looks familiar. These steps slow that moment down and help you spot fake domains before damage is done.

1) Expand the full sender address every time

Before clicking anything, open the full sender address in the email header. Display names and logos are easy to fake, but domains tell the real story. Look closely for swapped letters like rn in place of m, added hyphens or strange domain endings. If the address feels even slightly off, treat the message as hostile.

NETFLIX SUSPENSION SCAM TARGETS YOUR INBOX

2) Preview links before you click

On a desktop, hover your mouse over links to reveal the real destination. On a phone, long-press the link to preview the URL. This simple pause often exposes lookalike domains designed to steal logins. If the link does not match the exact site you expect, do not proceed.

3) Avoid email links for password or security alerts

When an email claims your account needs urgent action, do not use its links. Instead, open a new browser tab and manually go to the official website using a saved bookmark. Legitimate companies do not require you to act through surprise links, and this habit cuts off most typosquatting attempts instantly.

4) Use strong antivirus software for added protection

Strong antivirus software can block known phishing domains, flag malicious downloads and warn you before you enter credentials on risky sites. While it cannot catch every new typo trick, it adds an important safety net when human attention slips.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com

5) Check the Reply To field for hidden red flags

Even if the sender address looks correct, inspect the Reply To field. Many phishing campaigns route replies to external inboxes that have nothing to do with the real company. A mismatch here is a strong signal that the message is a scam.

HOLIDAY DELIVERIES AND FAKE TRACKING TEXTS: HOW SCAMMERS TRACK YOU

6) Consider a data removal service to reduce targeting

Typosquatting attacks often begin with leaked or scraped contact details. A data removal service can help remove your personal information from data broker sites, reducing the number of scam emails and targeted phishing attempts that reach your inbox.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com

7) Rely on saved bookmarks for critical accounts

For email, banking and work portals, use bookmarks you created yourself. This eliminates the risk of mistyping addresses or trusting links in messages. It is one of the simplest and most effective defenses against lookalike domain attacks.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Kurt’s key takeaways

Typosquatting works because it targets human behavior, not software flaws. A single swapped character can bypass filters and fool smart people in seconds. Knowing these tricks slows attackers down and gives you back control. Awareness turns a sophisticated scam into an obvious fake.

If a single letter can decide whether you get hacked, how closely are you really reading the links you trust every day? Let us know by writing to us at Cyberguy.com

Read the full article here