What happened
Hackers use ‘rn’ typo trick to impersonate Microsoft and Marriott International in a homoglyph phishing campaign that registers lookalike domains replacing the letter “m” with “rn.” The report described fake domains such as rnarriottinternational.com, rnarriotthotels.com, and rnicrosoft.com, designed to appear legitimate in common fonts and especially on mobile screens. A security firm, Netcraft, was cited as identifying malicious domains impersonating Marriott International, with suspected intent to steal loyalty account credentials or personal guest data. Harley Sugarman of Anagram was cited describing a similar campaign targeting Microsoft users with phishing emails using rnicrosoft.com to deliver fake security alerts or invoice notifications. The campaign is characterized as typosquatting/homoglyph abuse to capture credentials via convincing brand-mimic pages.
Who is affected
Users and customers of Marriott International and Microsoft services are directly affected through credential phishing risk. Organizations are indirectly affected when employee accounts are targeted, particularly on mobile devices where domain inspection is harder and phishing success rates may increase.
Why CISOs should care
Homoglyph typosquatting is a low-cost, high-scale technique that evades user vigilance and can bypass basic domain pattern checks. Successful credential theft can lead to account takeover, MFA fatigue scenarios, downstream BEC, and wider compromise where enterprise SSO or reused credentials are involved.
3 practical actions
- Block and monitor lookalike domains: Add known homoglyph domains to blocking controls and monitor DNS/proxy logs for related typosquat access attempts.
- Harden authentication against phishing: Enforce phishing-resistant MFA where possible and tighten conditional access for risky sign-ins and new devices.
- Improve user reporting workflows: Ensure employees can rapidly report suspicious login prompts and brand-impersonation emails, especially from mobile clients.