Most phishing advice tells people to look for suspicious links in emails, to hover before clicking, and to distrust anything that looks slightly off. That advice still applies, but a technique documented this week by security researchers at Palo Alto Networks' Unit 42 introduces a phishing path that bypasses all of it. The threat does not arrive in a suspicious email. It arrives through an AI tool the business already trusts.
When a large language model answers a question, it sometimes generates web addresses that do not exist. The model is not accessing the internet in real time. It is predicting what a plausible-looking URL would be for the brand or service being discussed. Most of the time, those invented addresses go nowhere because no one has registered them. Phantom squatting is what happens when attackers register them first.
The mechanics are straightforward. Attackers prompt AI models with questions about well-known companies, services, and portals. The models produce invented domains that sound credible. Attackers identify which of those domains are unregistered, claim them, and build phishing pages behind them. When a person or an AI system later follows the same recommendation and visits that address, they land on attacker-controlled infrastructure that looks entirely legitimate.
Unit 42's research put numbers to the scale of the problem. Across 685,339 queries covering 913 global brands, two AI models produced 2.1 million URLs. Of those, 13,229 were already flagged as malicious by threat intelligence systems. Roughly 250,000 additional hallucinated domains had no owner yet, each one a potential registration target for any attacker who moves first.
Conventional phishing depends on deception. The attacker crafts a message designed to lower the recipient's guard, usually by creating urgency or imitating a trusted sender. Standard defenses look for those signals: unusual senders, mismatched domains, suspicious attachments.
Phantom squatting removes that step. The malicious domain does not arrive in a suspicious email. It arrives as a recommendation from an AI assistant the employee already uses for research, writing, or development work. The link looks credible because it was generated by a tool the business trusts, and the domain itself may be newly registered with no prior reputation for anyone's filters to flag.
Unit 42's researchers described the core problem directly: the recommendation arrives through a trusted assistant rather than a phishing email, so it inherits credibility the attacker never had to earn.
The threat is not theoretical. On March 8, 2026, Unit 42's detection system identified a domain that AI models were consistently inventing when asked about a national postal service's online marketplace. Both models produced the same fabricated address at every test setting.
Twenty-three days later, an attacker registered that exact domain and deployed a phishing kit named Montana Empire. The kit replicated the real storefront in real time and was built using an AI coding assistant, meaning both the defender and the attacker arrived at the same invented domain through the same mechanism: the model's own internal patterns. The kit collected card numbers, bank transfer details, and national identification data before it was detected.
For a small or mid-sized business, phantom squatting matters for two reasons.
The first is that employees using AI assistants for day-to-day tasks are now a potential vector. A staff member asking an AI tool to look up a vendor portal, an API endpoint, or a client-facing service may receive a hallucinated URL. If that URL has already been claimed by an attacker, following the recommendation is enough to initiate a credential theft or malware delivery.
The second reason is that standard defenses offer limited protection here. Newly registered domains typically have no threat reputation at the moment of a phantom squatting attack. Domain reputation filters, which rely on prior malicious activity to flag a site, cannot detect a domain that has not yet been used against anyone.
The response does not require specialized tooling. A few straightforward habits close most of the exposure.
Treat AI-generated links the same way you would treat any unverified external source. Before visiting a URL produced by an AI assistant, confirm that the domain matches the organization's official address through an independent check, such as a direct web search or a known bookmark. This single step breaks the attack chain at its weakest point.
For teams using AI tools in development work, apply the same verification to any API endpoints or external service URLs generated during coding. A plausible-looking domain in a code recommendation deserves the same scrutiny as one in an email.
Awareness matters here more than most threats, simply because employees are unlikely to have encountered this risk before. A short briefing on how AI tools can generate invented addresses, and why those addresses need verification before use, costs very little and addresses the gap that phantom squatting specifically exploits.