{ "type": "Domain", "indicator": "microsoft-support.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/microsoft-support.com", "alexa": "http://www.alexa.com/siteinfo/microsoft-support.com", "indicator": "microsoft-support.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4186487975, "indicator": "microsoft-support.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "697a9015a6b6986b45485d39", "name": "EbeeJan2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-27T22:03:31.816000", "created": "2026-01-28T22:39:17.725000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "PhantomCore, Campaign Targeting Leveraging VS Code, Watering Hole Attack Targets EmEditor Users", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 212, "FileHash-SHA1": 212, "FileHash-SHA256": 338, "URL": 16, "domain": 109, "email": 7, "hostname": 83 }, "indicator_count": 980, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "92 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6977c393433ff631bf86e558", "name": "Hackers Use \u2018rn\u2019 Typo Trick in New Marriott Phishing Campaign", "description": "", "modified": "2026-01-26T19:42:11.435000", "created": "2026-01-26T19:42:11.435000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69776bd5e5c5a64b0cbddf28", "name": "Hackers Use \u2018rn\u2019 Typo Trick to Impersonate Microsoft and Marriott in New Phishing Attack", "description": "A sophisticated phishing campaign is targeting customers of Marriott International and Microsoft, using a typo trick that mimics the company\u2019s official logo and layout, according to security firm Netcraft.", "modified": "2026-01-26T13:27:49.949000", "created": "2026-01-26T13:27:49.949000", "tags": [ "microsoft", "marriott", "netcraft", "microsoft users", "fire harley", "sugarman", "anagram", "microsoft logo", "difference", "compromise", "look" ], "references": [ "https://cybersecuritynews.com/rn-typo-phishing-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Hotel" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69766f2d6725a71097054cd9", "name": "Hackers Use rn Typo Trick to Impersonate Microsoft and Marriott in New Phishing Attack", "description": "A recent phishing campaign has emerged that employs a sophisticated technique known as \"homoglyph\" attacks, targeting customers of both Marriott International and Microsoft. Attackers are utilizing a typographical trick that replaces the letter \"m\" with the combination of \"rn\" (the characters r and n), creating fraudulent domains that closely mimic the legitimate websites of these well-known brands.\n\nIn the case of Marriott International, a security firm named Netcraft has reported the discovery of several malicious domains specifically designed to impersonate the hotel chain. These fake websites aim to deceive users into revealing their loyalty account credentials or other sensitive personal information related to hotel bookings and guest data. The close resemblance to legitimate domains raises the risk of unsuspecting customers falling victim to these phishing efforts.", "modified": "2026-01-25T19:29:49.547000", "created": "2026-01-25T19:29:49.547000", "tags": [ "microsoft", "marriott", "netcraft", "microsoft users", "fire harley", "anagram", "microsoft logo", "difference", "compromise", "look", "critical", "marriott hotels", "login", "high", "mobile" ], "references": [ "https://cybersecuritynews.com/rn-typo-phishing-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [ "Hotel" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "125 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://cybersecuritynews.com/rn-typo-phishing-attack/", "IOCs.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "PhantomCore, Campaign Targeting Leveraging VS Code, Watering Hole Attack Targets EmEditor Users" ], "malware_families": [], "industries": [ "Hotel" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "697a9015a6b6986b45485d39", "name": "EbeeJan2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-27T22:03:31.816000", "created": "2026-01-28T22:39:17.725000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "PhantomCore, Campaign Targeting Leveraging VS Code, Watering Hole Attack Targets EmEditor Users", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 212, "FileHash-SHA1": 212, "FileHash-SHA256": 338, "URL": 16, "domain": 109, "email": 7, "hostname": 83 }, "indicator_count": 980, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "92 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6977c393433ff631bf86e558", "name": "Hackers Use \u2018rn\u2019 Typo Trick in New Marriott Phishing Campaign", "description": "", "modified": "2026-01-26T19:42:11.435000", "created": "2026-01-26T19:42:11.435000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69776bd5e5c5a64b0cbddf28", "name": "Hackers Use \u2018rn\u2019 Typo Trick to Impersonate Microsoft and Marriott in New Phishing Attack", "description": "A sophisticated phishing campaign is targeting customers of Marriott International and Microsoft, using a typo trick that mimics the company\u2019s official logo and layout, according to security firm Netcraft.", "modified": "2026-01-26T13:27:49.949000", "created": "2026-01-26T13:27:49.949000", "tags": [ "microsoft", "marriott", "netcraft", "microsoft users", "fire harley", "sugarman", "anagram", "microsoft logo", "difference", "compromise", "look" ], "references": [ "https://cybersecuritynews.com/rn-typo-phishing-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Hotel" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69766f2d6725a71097054cd9", "name": "Hackers Use rn Typo Trick to Impersonate Microsoft and Marriott in New Phishing Attack", "description": "A recent phishing campaign has emerged that employs a sophisticated technique known as \"homoglyph\" attacks, targeting customers of both Marriott International and Microsoft. Attackers are utilizing a typographical trick that replaces the letter \"m\" with the combination of \"rn\" (the characters r and n), creating fraudulent domains that closely mimic the legitimate websites of these well-known brands.\n\nIn the case of Marriott International, a security firm named Netcraft has reported the discovery of several malicious domains specifically designed to impersonate the hotel chain. These fake websites aim to deceive users into revealing their loyalty account credentials or other sensitive personal information related to hotel bookings and guest data. The close resemblance to legitimate domains raises the risk of unsuspecting customers falling victim to these phishing efforts.", "modified": "2026-01-25T19:29:49.547000", "created": "2026-01-25T19:29:49.547000", "tags": [ "microsoft", "marriott", "netcraft", "microsoft users", "fire harley", "anagram", "microsoft logo", "difference", "compromise", "look", "critical", "marriott hotels", "login", "high", "mobile" ], "references": [ "https://cybersecuritynews.com/rn-typo-phishing-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [ "Hotel" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "125 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "microsoft-support.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "microsoft-support.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780212861.3122387 }