The Lowest-Tech Homoglyph That Won’t Die: How ‘rn’ Still Masquerades as ‘m’

Cybercriminals have borrowed visual deception tricks from the earliest days of internet, and few have stayed stubbornly effective as the use of character lookalikes.  One of the simplest and most recognizable is the pairing of “r” and “n” to imitate the shape of “m” or “rn.” It is not new by any means, in fact, this illusion shows up in phishing campaigns going back to the mid-2000s when attackers first realized users often scan URLs instead of reading them.

Homoglyph attacks don’t stop there, as we saw in one of our recent blogs covering the use of the Japanese Hiragana character ん, mimicking a forward slash. Other examples include replacing “0” with “O,” and slipping Cyrillic or Greek characters into URLs or login pages that looked identical to Latin letters. Variants like “paypaI.com” with a capital I instead of an L, “gοοgle.com” with Greek omicrons, and “facebοok.com” with mixed alphabets have all surfaced in real campaigns. These tricks rely on the same principle.

Despite years of awareness, the “rn” technique is still commonly used by attackers. In this report, we will cover several recent examples of this technique being used across various industries.

microsoft Becomes rnicrosoft

One of the most widely recognized examples of the “rn” homoglyph technique is the long-running abuse of Microsoft branding. Because Microsoft 365 identities sit at the center of email, cloud storage, collaboration tools, and third-party integrations, even a subtle visual imitation can have outsized impact. Replacing the “m” in Microsoft with “rn” produces domains that appear legitimate at a glance, particularly in long URLs or on mobile devices, and this pattern has been observed repeatedly in phishing campaigns targeting Microsoft login and security workflows. While this example is well known, the same technique increasingly appears outside the Microsoft ecosystem, where it is often harder for users to recognize.

Spreading Past Microsoft

Aside from the common Microsoft examples, Netcraft identified that recently created domains also impersonate other organizations starting with the “M”, such as Marriott, MasterCard, Medicare, Morgan Stanley, Mozilla, and others.

MasterCard Examples:

• rnastercard[.]de

• rnastercard[.]com[.]br

• rnastercard[.]ca

• login[.]aviatornastercard[.]com

• rnastercard-financial[.]int[.]Zendesk[.]lang-en[.]us

• rnastercards[.]com

Medicare Examples:

• rnedicare[.]pt

• yournedicaresolutions[.]com

Morgan Stanley Examples:

• rnoganstanley[.]com

Mozilla Examples:

• rnozilla[.]pro

• rnozilla[.]fun

Marriott Examples:

• rnarriott-sp[.]com

• rnarriottinternational[.]com

• rnarriotthotels[.]com

• rnarriotthotel[.]com

• jwrnarriott[.]com

Magento Examples:

• rnagento[.]com

Mass Mutual Examples:

• rnassmutual.com

Mitsubishi Examples:

• rnitsubishielectric[.]com

Mercedes Benz Examples:

• rnercedes[.]de

• rnercedesbenz[.]com

• rnercedes[.]benz[.]co[.]uk

• rnercedes-benz[.]pl

Moderna Examples:

• rnoderna[.]link

• rnoderna[.]com

• rnodernaproducts[.]com

Marcus by Goldman Sachs Example:

·      rnarcusbygoldmansachs[.]org[.]ee

Marcus Theaters Examples:

·      rnarcustheatres[.]com

Motorola Examples:

• rnotorolasolutlons.]com

• rnotorola[.]ru

Camouflaged M

While attackers often aim at brands that start with the letter M for this technique, some of the mist convincing domains come from swapping an internal “m” with “rn” inside words. These substitutions are harder to spot because users tend to skim the middle of the URL and focus more on the beginning and end, such as “payrnent”, “ernail”, “docurnent”, “custorner”, and many others.

This technique becomes even more dangerous when it appears in words that organizations commonly use as part of their brand, subdomains, or service identifiers. Terms like email, message, member, confirmation, and communication all contain mid-word m’s that users barely process. Spoofed subdomains can appear as:

• email.example.com  →  ernail.example.com

• confirmation.example.com  →  confirnation.example.com

• communication.example.net →  cornmunication.example.net

• member.example.org  →  mermber.example.org

Such subtle distortions blend into what users expect to see during everyday interactions. Many large services incorporate mid-word m’s into branded functionality. For instance, companies use terms such as account-confirmation, secure-email, or member-access within legitimate subdomains or sign-in portals.

Aside from those examples, Netcraft also observed “rn” being used in large organization names with “m” inside their names, such as Instagram, for example instagrarn[.]blog and instagrarn[.]lat.

Recommendations for Defenders

Detecting and disrupting homoglyph-based attacks requires both proactive monitoring, detection, and user-focused safeguards. Although the “rn → m” substitution is simple and not novel, its persistence shows that low effort visual deception continues to be a popular technique amongst cybercriminals.

Netcraft continuously monitors brand impersonation, homoglyph abuse, lookalike domains, malicious hosting, and phishing infrastructure. It can automatically identify domains that resemble your brand or include known homoglyph patterns and alert you before attackers begin an active campaign.

Beyond Netcraft, organizations should also consider URL filtering and DNS security tools should be configured to flag or block domains that contain known homoglyph sequences or suspicious character combinations such as “ernail,” “managernent,” or other mid-word swaps commonly used in phishing kits.