A novel attack vector called phantom squatting exploits a quirk of large language models: their tendency to hallucinate non-existent web addresses. Researchers at Palo Alto Networks' Unit 42 have documented threat actors purchasing these AI-invented domains before anyone else can, then using them to host phishing pages or deliver malware. The tactic preys on users and systems that follow links generated by AI tools.

The technique is already active in the wild, according to Unit 42's research. By registering domains that AI models fabricate, attackers can intercept traffic that would otherwise lead nowhere — or, in some cases, redirect users from legitimate destinations. The approach lowers the barrier for phishing campaigns because the domains come pre-authenticated by the AI's output, making them appear credible to automated tools and unwary users.

Unlike traditional squatting methods, which rely on typosquatting or homograph attacks against known domains, phantom squatting targets spaces that exist only in the model's imagination. The hallucinated domains are often plausible enough — for example, combining a brand name with a common suffix — to slip past casual inspection. Unit 42's findings indicate that this tactic is scalable; attackers can prompt LLMs to generate hundreds of plausible-but-fake domains at low cost.

Detection is challenging because the domains are not registered in advance of the attack — they are created only after the AI invents them. Defenders must monitor AI-generated content for references to unknown domains and preemptively block or monitor those names. As of the report's publication, no widespread mitigation strategy has been deployed, though security vendors are likely to update threat intelligence feeds to flag newly registered domains that match AI-fabricated patterns.

The broader implication is that AI systems, in their eagerness to please users, are inadvertently generating exploitable attack surfaces. Unit 42 has not yet attributed the observed campaigns to specific threat actors, but the research underscores a growing need for guardrails on LLM outputs to prevent the creation of verifiable-but-false artifacts that adversaries can weaponize.