A fake Microsoft email domain is making the rounds again, tricking users into clicking password reset links that look legitimate. The phishing campaign uses the domain “rnicrosoft.com,” swapping the letters “r” and “n” to resemble the real “m” in Microsoft’s name.
The scheme relies on ‘typosquatting,’ a tactic where scammers register domain names that look almost identical to real ones. According to the Cybersecurity and Infrastructure Security Agency, 70% of all attached files or links in phishing emails containing malware were not blocked by network protection systems.
A familiar domain returns
Public domain records show rnicrosoft.com has existed for more than a decade. It was first registered in 2012 under Park HyungJin based in South Korea and is currently set to expire in March 2026.
Users on Reddit and LinkedIn say the domain reappears every few years, often with the same email design that mimics real Microsoft password reset messages. The layout, tone and timing are all engineered to look authentic.
Download the SAN app today to stay up-to-date with Unbiased. Straight Facts™.
Point phone camera here
Tied to past cybersquatting disputes
Park HyungJin’s name also appears in multiple domain disputes filed with the World Intellectual Property Organization.
Unbiased. Straight Facts.TM
Phishing was the cybercrime most frequently reported to the FBI in 2024, with 193,407 complaints.
In one 2019 case, a Swiss cybersecurity company called WISeKey SA accused Park of taking over its domain name wisekey.net. The company said the registration was done in bad faith to exploit WISeKey’s existing trademark.
The WIPO panel agreed, finding that Park had “no legitimate interest” in the name and had registered it with intent to mislead users. The panel ordered the domain to be transferred back to WISeKey.
WIPO records show Park has been listed in at least a dozen similar cases over the years, often involving domains that mimic well-known brands.
Phishing vs spam
Technology company Cisco defines phishing as “fraudulent communications that appear to come from a reputable source.” These messages often trick people into sharing passwords, payment information or other sensitive data.
By contrast, spam usually refers to unsolicited or irrelevant junk email. While spam clutters inboxes, phishing attempts are far more dangerous because they aim to steal personal information or install malware. Both types of email should be reported.
How phishing scams succeed
Perhaps the most alarming statistic from CISA was that 84% of employees took the bait within the first ten minutes of receiving a phishing email often by clicking a spoofed link or replying with sensitive information. Only 13% reported the phishing attempt, limiting their organization’s ability to respond quickly.
The Federal Trade Commission (FTC) and CISA recommend simple but effective steps to protect yourself:
- Expand the full sender address before clicking any links.
- Hover over links to see where they actually lead.
- Don’t share personal information from an email you didn’t expect.
- Be skeptical of urgency, such as “password reset” or “account suspended” alerts.
If you didn’t request the action mentioned in the email, ignore it and report it — especially if it’s sent to a work address. However, if you suspect a scammer has any sensitive information from a response to an email, visit IdentityTheft.gov.
For more resources, visit the FTC’s guide on how to recognize and avoid phishing scams.
