An attacker registers a web address one character off from a real one — and suddenly emails and login pages look completely legitimate. Lookalike domains are cheap, simple, and effective. Here is how to spot them.
Read this address quickly: rnicrosoft.com. At a glance, it looks like microsoft.com — but the "m" is actually an "r" and an "n" placed side by side. This is one of the oldest and simplest tricks in the book, and it still works beautifully. Attackers register web addresses that look almost identical to real ones, then use them to send convincing emails and host convincing fake login pages. They're called lookalike domains, and the whole attack lives in a character or two you didn't notice.
Why a domain is the perfect disguise
A domain name — the part after the @ in an email, or the website address in your browser — is supposed to be how you tell who you're really dealing with. That's exactly why faking it is so powerful. If an email genuinely comes from your-supplier.com, you trust it. If it comes from your-suppIier.com (with a capital "I" standing in for the "l"), you probably still trust it, because your eye reads what it expects to read.
Attackers have a whole toolkit of these substitutions:
- Swaps that look alike. "rn" for "m," capital "I" for lowercase "l," the number "0" for the letter "O," "vv" for "w."
- Small additions. yourcompany-support.com, yourcompany-invoices.com, secure-yourcompany.com — extra words that sound official.
- Different endings. yourcompany.co instead of .com, or .net, or a country ending you don't use.
- Tiny misspellings. A doubled or dropped letter that's easy to skim past.
Once an attacker owns one of these, they can send email that appears to be from your company or a company you trust, and they can build a fake login page hosted on a web address that looks right at a glance.
Where it's used against you
Lookalike domains turbocharge other attacks. An invoice-fraud email is far more convincing when it comes from a near-perfect copy of your real supplier's address. A phishing page that harvests Microsoft passwords is more believable when its address contains "microsoft" with one quiet substitution. And scammers will sometimes register a lookalike of your company to target your customers and partners, trading on a reputation you built.
How to defend against it
You can't stop people from registering similar domains, but you can make them far less effective.
- Slow down and read the full address. The attack depends on a quick glance. Before acting on an email that asks for money, credentials, or sensitive data, actually read the sender's domain, character by character. Before logging in, read the web address in the bar.
- Reach important sites yourself. Don't get to your bank or your Microsoft 365 through an email link, where a lookalike can intercept you. Type the address or use a saved bookmark.
- Verify money and credential requests out-of-band. The reliable defense against any impersonation — lookalike domain or not — is confirming unusual requests through a channel you already trust, like a phone call to a known number.
- Set up email authentication for your own domain. Properly configured SPF, DKIM, and DMARC records make it much harder for anyone to send email that appears to come from your real domain, which closes off one whole avenue of impersonation.
- Consider watching for lookalikes of your brand. For businesses worried about customer-facing fraud, services exist that alert you when a domain resembling yours gets registered, so you can warn people early.
The instinct to build in your team: the sender address and the web address are the things you actually verify, and they reward a careful second look precisely because attackers are betting you won't take one.
Protecting your own domain from impersonation is something you can lock down, and it's easy to leave half-done. Tenant Strike checks your Microsoft 365 email-authentication settings — SPF, DKIM, and DMARC — and tells you, in plain English, how easy it currently is for someone to send email as your company, and what to tighten. It even shows what your domain looks like from the outside, the way an attacker scoping a lookalike would. Five minutes, read-only, no changes.
AI-researched from public sources. We label AI-assisted writing — see our trust page.
See your own risk
Want this for your own Microsoft cloud?
Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.