A sophisticated phishing campaign is currently leveraging a subtle typographical trick to bypass user vigilance, deceiving victims into handing over sensitive login credentials. Attackers utilize the domain “rnicrosoft.com” to impersonate the tech giant. By replacing the letter ‘m’ with the combination of ‘r’ and ‘n’, fraudsters create a visual doppleganger that is nearly indistinguishable from the legitimate domain at a casual glance. This technique, known as typosquatting, relies heavily on the font rendering used in modern email clients and web browsers. When placed closely together, the kerning between ‘r’ and ‘n’ often mimics the structure of the letter ‘m’, fooling the brain into autocorrecting the error. The effectiveness of this attack vector lies in its subtlety. On high-resolution desktop monitors, the discrepancy might be visible to a keen observer, but the brain’s tendency to predict text often masks the anomaly. The threat becomes even more acute on mobile devices, where screen real estate is limited, and the address bar often truncates the full URL. Attackers exploit this by registering these look-alike domains to facilitate credential phishing, vendor invoice scams, and internal HR impersonation campaigns. Once the user is convinced the email is from a trusted entity, they are more likely to click on malicious links or download weaponized attachments. The “rn” swap is just one of several variations attackers use. Other common tactics include swapping the letter ‘o’ for a zero or adding hyphens to legitimate brand names to create a sense of authenticity. Defending against these homoglyph and typosquatting attacks requires a shift in user behavior rather than relying solely on automated filters. Security experts advise that users must expand the full sender address before interacting with any unsolicited email.