The Rise of the Microsoft Email Scam and How to Spot It

rnicrosoft.com

You read that as Microsoft, did you not?

This is exactly what attackers are hoping we do with their latest email phishing scam attempt. A new campaign is spreading quickly across the UK and it is fooling thousands of people because the difference between the real and fake version of the Microsoft domain is almost invisible.

Even if you spotted that the m had been replaced with the characters r and n, or you have already seen this scam doing the rounds, you have to admit it is a surprisingly clever way for attackers to adapt their methods in order to gain access to your business.

Cybercriminals know that most people read familiar words based on shape and pattern recognition rather than analysing every individual letter.

By registering the domain rnicrosoft.com, they have created a lookalike version of Microsoft’s legitimate domain that is almost indistinguishable at a glance.

What exactly is the Scam?

Attackers are registering the domain rnicrosoft.com. Instead of using the single letter m, they use the characters r and n side by side. In many fonts these characters blend together and look exactly like m. When someone is checking emails quickly, especially on a mobile device, this tiny change is almost impossible to notice.

Criminals then send emails that look just like genuine Microsoft alerts. They frequently warn that your password is expiring, that suspicious activity has been detected or that your Microsoft 365 account will be locked. The logos, colours and layout are copied directly from real Microsoft templates.

Below is an example of what these phishing emails typically look like.

A message titled Password Reset Request, or sometimes Password Expiring. Action Required with an official-looking Microsoft security header:

This example demonstrates how convincing the scam is. The only reliable giveaway is the domain name, which looks correct unless examined very carefully.

But this example is not limited to Microsoft and may appear in other impersonation attempts.

Attackers also use the same trick against other well-known brands such as Amazon, Meta or Gmail by replacing the letter m with rn, which also look very convincing at a glance:

• arnazon.com
• rneta.com
• grnail.com

Why This Scam Works So Well

It looks legitimate

People recognise familiar brands visually. When reading quickly, the word “Microsoft” is processed as a familiar shape and the difference between m and rn is overlooked.

It targets high-value accounts

A Microsoft 365 account gives access to email, Teams, SharePoint, OneDrive and administrative tools. This makes it extremely valuable for attackers.

It relies on urgency

The messages pressure users to act immediately, reducing the chance they will stop to check the details.

It copies real Microsoft templates

The emails closely mirror genuine Microsoft alerts which builds trust at first glance.

What Happens If Someone Clicks the Link

Once a user engages with the scam, the attack process begins immediately.

Step 1 - They are taken to a fake Microsoft login page that looks identical to the real thing.

Step 2 - When they enter their email and password, these details are sent straight to the attacker.

Step 3 - The page usually shows an error message such as

"Something went wrong. Please try again later."

The user often closes the window and assumes it was a technical glitch.

Step 4 - Attackers attempt to log into the real Microsoft account using the stolen credentials.

Step 5 - If MFA is enabled, they trigger repeated MFA requests. This tactic, known as MFA fatigue, relies on users approving the request by accident.

Step 6 - if the attacker gains access, they typically:

• Search emails for financial information, invoices and supplier details

• Set up hidden forwarding rules to monitor future messages

• Attempt password changes or privilege escalation

• Access OneDrive, Teams and SharePoint data

• Send further phishing emails from the compromised account

• Prepare ransomware deployment or delete backups

This can happen within minutes of the initial click.

How to Spot the Microsoft Scam Immediately

First Things First

If you are not sure whether an email is a scam, your instinct that something feels wrong is usually correct. Do not click any links.

Delete the email or mark it as junk and always contact your internal IT team, IT provider or Microsoft support directly using a trusted method. Never rely on the contact details inside the suspicious message.

Also, if you spot anything suspicious, scam emails can be forwarded to report@phishing.gov.uk, and harmful websites can be reported directly to the National Cyber Security Centre.

Once you have taken that step, look for the following signs.

1. Check the sender domain carefully

The fake domain uses: rnicrosoft.com
The genuine domain uses: microsoft.com

2. Hover over links

If the link contains anything unusual such as rnicrosoft, micros0ft, rn365, or any variation of the official domain, it is fraudulent.

3. Treat unexpected alerts with caution

Microsoft will not send urgent warnings demanding verification unless you initiated the action.

4. Check inside your Microsoft 365 account

If an alert is genuine, it will also appear inside your Microsoft account when accessed through a web browser.

5. Look for unusual timing

These messages often arrive early in the morning or late at night when you are likely to be less attentive.

What To Do If You Receive A Suspicious Email

The safest approach is to:

• Mark it as spam or phishing using the built-in option in Outlook or Gmail

• Delete it immediately after marking as spam

• Do not click any links

• Do not reply

• Do not forward it on (including to us)

If you think you may have clicked on something you should not have, please contact our support team as soon as possible so we can help secure your account. Never rely on the contact details inside a suspicious message.

The Business Impact of a Successful Microsoft Credential Theft

If an attacker gains access to a Microsoft 365 account the consequences can include:

• Fraudulent payment requests sent from a legitimate account
• Theft of confidential files from OneDrive or SharePoint
• Internal impersonation of directors or managers
• Access to Teams conversations and stored documents
• Creation of hidden forwarding rules, allowing attackers to quietly receive copies of your emails, even after passwords have been changed.
• Ransomware planning and backup deletion

While the average cost of cyber breaches for UK businesses is £8,260 per breach, the actual impact on your business, reputation and finances can be significantly higher for businesses that handle sensitive information or operate under strict compliance requirements.

How You Can Protect Your Organisation

If you take one action today, make it this: review how your organisation handles Microsoft alert emails and ensure employees know to check domains carefully and trust their instincts when something feels wrong.

People are falling for these attacks because they look familiar. Teaching your team to slow down and check the domain is the simplest and most effective protection you can put in place immediately.

Here are some key steps you can take today to make sure your business does not fall foul of this new scam:

Strengthen employee awareness

Ensure your team understands how to identify subtle domain changes like rn instead of m.

Use advanced email filtering

Modern filtering solutions can detect domain impersonation and prevent these emails from reaching end users.

Enforce Strong Authentication

Conditional Access policies, strong MFA methods and location-based restrictions significantly reduce risk.

Run regular phishing simulations

Simulations using realistic templates help staff recognise the most common attack patterns.

Review Mailbox Rules

Hidden forwarding rules are one of the most common signs of a compromised account.

Build strong disaster recovery and response processes

Speed of detection and isolation is critical in limiting impact.

At The HBP Group we work with UK businesses to assess their cybersecurity posture, close vulnerabilities and build resilient protection across all areas of their Microsoft environment.

If you would like support reviewing your setup or understanding your risk level, our team is here to help.