The "rn" vs. "m" Illusion: Hacking the Human Eye

Category: Identity Security / Social Engineering / Phishing

The current campaign, flagged by security researchers this week, is targeting massive brands like Microsoft and Marriott. The "hook" is simple: the lowercase letters "r" and "n" when placed together (rn) look nearly identical to the lowercase letter "m" in many common digital fonts (like Arial, Helvetica, or Segoe UI).

rn vs m homoglyph phishing attack exploiting human vision

The Technical Deep Dive: Why It Works

This isn't a bug in the code; it's a "feature" of Kerning—the space between characters in a font.

  • Font Rendering: In modern web browsers and mobile devices, fonts are optimized for readability. When "r" and "n" are placed next to each other, the "shoulder" of the r often blends into the first "stem" of the n.

  • The Result: rnarriottinternational.com becomes marriottinternational.com to the casual observer.

  • The Mobile Trap: On small smartphone screens, the resolution and font size make this distinction mathematically impossible for the human eye to catch at a glance.

The Attack Chain: From "rn" to Account Takeover

  1. Domain Hunting: Attackers use tools like DNSDumpster to find high-traffic domains with an "m".

  2. Registration: They register the "rn" version (e.g., rnicrosoft.com) through privacy-focused registrars, often paying in cryptocurrency to remain anonymous.

  3. The Phishing Kit: They deploy a "Phishing-as-a-Service" kit (like the recently tracked RaccoonO365). These kits automatically clone the real website’s CSS and HTML.

  4. Bypassing Filters: To bypass email scanners, they use ZLOGS (Zero-day Link Obfuscation) or hide the link behind a legitimate service like a Microsoft Forms or SharePoint page.

  5. The Payload: The victim enters their credentials. The kit even supports MFA-Interception, prompting the user for their 2FA code and immediately using it to log in on the real site in the background (Adversary-in-the-Middle).

Technical Indicators of Compromise (IOCs)

Security researchers have identified several active domains currently being used for credential harvesting and Adversary-in-the-Middle (AiTM) attacks.

Impersonated BrandMalicious Phishing DomainTyposquatting Technique
Microsoft 365rnicrosoft.comm $\rightarrow$ rn
Marriott Intl.rnarriottinternational.comm $\rightarrow$ rn
Marriott Hotelsrnarriotthotels.comm $\rightarrow$ rn
Microsoftmicros0ft.como $\rightarrow$ 0 (Zero)
Microsoftrnicrosoft-login.comm $\rightarrow$ rn + Suffix

Associated IP Patterns & TTPs:

  • Hosting: Frequently hosted on Cloudflare or Namecheap to mask the true origin IP.

  • MFA Bypass: These domains often use the Tycoon2FA or RaccoonO365 phishing kits, which can intercept MFA codes in real-time.

  • Email Sender: security-noreply@rnicrosoft.com or bookings@rnarriotthotels.com.

SOC Monitoring Strategy: What Analysts Must Look For

For a SOC team, detecting these attacks requires moving beyond basic URL filtering. The goal is to detect the "Visual Deception" before the user enters their credentials.

  1. SIEM Search Queries (The "rn" Regex): Analysts should run regex searches on DNS logs and Email Gateway logs.

    • Regex Example: .*rn.* inside common brand strings.

    • Logic: Flag any domain where rn exists in a position where the company usually has an m.

  2. DNS Anomaly Detection: Monitor for newly registered domains (less than 30 days old) that have a high Levenshtein Distance (similarity) to your protected brand names.

  3. Email Header & "Reply-To" Inspection: Check if the Display Name is "Microsoft Security" but the From address is alert@rnicrosoft.com.

  4. Behavioral Red Flags (The AiTM Pattern): Alert on Impossible Travel—e.g., a user logs in from their home IP, and 5 minutes later, a session token for the same user is seen from a known hosting provider IP.

ZyberWalls Analysis: The "Semantic Backdoor"

At ZyberWalls, we view this as a Trust Failure. The industry has spent billions on "Zero Trust" architecture, but we still trust our own eyes—and our eyes are easily deceived.

The Reality Check: A hacker doesn't need to find a 0-day vulnerability in Microsoft's servers if they can find a 0-day vulnerability in your perception. This campaign is particularly dangerous because the emails mimic "Urgent Security Alerts," which trigger an emotional response that lowers our guard.

The "Safe-Sight" Checklist: How to Spot the Trick

  • The "Hover" Test: On a desktop, hover your mouse over any link and look at the status bar at the very bottom.

  • Password Manager Defense: Managers like Bitwarden or 1Password look at the actual encoded domain. If it won't auto-fill, it's a trap.

  • The Manual Entry Rule: Never click "Login" from an email. Always type the official website manually into your browser.

  • Look for Punycode: If you see xn-- in a URL, it is a 100% confirmation of an attack.

Stay Alert. Stay Human. Stay Safe.ZyberWalls Research Team 

Comments

Post a Comment

Popular posts from this blog

Digital Arrest: Hacking the Human Operating System

Image
At Zyberwalls , we see cybersecurity differently. Most people think a "hack" is about clicking a bad link. But the Digital Arrest is the most dangerous attack in India today because it uses Social Engineering —hacking the human, not the machine. Here is the technical breakdown of how this "movie" is directed and how you can stop the show. 1. Reconnaissance: Weaponized OSINT Before the first call, scammers do their homework using OSINT (Open Source Intelligence) . The Tech: Scammers buy leaked databases from the dark web. They know your PII (Personally Identifiable Information)—Aadhaar, address, and bank name. The Human Side: A stranger calls and says, "Mr. Sharma, your Aadhaar ending in 1234 was used in a drug parcel." Because the data is correct, your "Trust Firewall" drops. In reality, he just bought a leaked Excel sheet for ₹500. 2. Vishing & Spoofing: The Fake Uniform Once they have your attention, they move to Vishing (Voice Phish...
Read more

WhisperPair (CVE‑2025‑36911): Bluetooth Earbuds Vulnerability Explained

Image
Category: Threat Intelligence / Cybersecurity Analysis Imagine your earbuds secretly listening to every word you say — during a meeting, a workout, or your commute — and even telling someone where you are. On January 16, 2026, researchers revealed that this nightmare is real. The WhisperPair flaw (CVE‑2025‑36911) in Google’s Fast Pair system lets hackers hijack your wireless earbuds, turning them into silent spies — without any notification, alert, or warning. The Reality Check The tiny earbuds you trust for music, calls, or workouts could be acting as remote “live bugs,” silently recording your most private conversations. Convenience has become the ultimate attack surface. The Anatomy of WhisperPair (CVE-2025-36911) The vulnerability stems from a logic flaw in the Google Fast Pair Service (GFPS), used by dozens of manufacturers worldwide. GFPS is meant to make pairing seamless, but it failed to check if your earbuds are in pairing mode . This “Zero-Click” entry point allows at...
Read more

The "OLE Bypass" Emergency: CVE-2026-21509 Deep Dive

Image
On January 26, 2026 , Microsoft took the rare step of releasing an out-of-band (OOB) emergency update . This was not routine patching. It was a response to active exploitation in the wild — real attackers using a real zero-day. This vulnerability matters not because it is new, but because it shows how modern attacks actually succeed . What Is OLE? (No Jargon) OLE (Object Linking and Embedding) is a Windows feature that allows one program to run inside another program. Common examples: An Excel sheet embedded inside Word A PDF object inside PowerPoint Auto-updating forms inside documents Behind the scenes, Word tells Windows: “Load this external object for me.” If that object is active, it can run code . This is where risk begins. Why OLE Still Exists (And Why That’s Dangerous) OLE is old — very old. But Microsoft cannot remove it because: Enterprises depend on it Government systems depend on it Legacy workflows would break instantly ...
Read more