When an AI assistant hands you a link, you tend to trust it. Attackers have found a way to abuse that trust before the link even exists. New research from Palo Alto Networks Unit 42 documents a technique it calls phantom squatting: adversaries register the fake web addresses that AI models invent, then wait for the model to send real people, and automated systems, straight to their infrastructure. The address never existed until an attacker bought it, which is exactly why your defenses do not see it arrive.
The mechanism is the same one behind a problem the software world already knows. When you ask a model for a package, a portal, or an API endpoint, it does not look anything up. It predicts a plausible-looking string from patterns in its training. Sometimes that string points at a real site. Often it points at a domain that has simply never been registered. Researchers have measured this for package names for over a year, coining slopsquatting for the case where attackers publish malware under the fake package names an AI keeps suggesting. Academic work found roughly one in five packages recommended by AI coding tools were entirely fabricated. Unit 42's contribution is to move that logic from package registries to the open web.
What the researchers measured
Unit 42 probed two production AI models with 685,339 prompts spanning 913 global brands, and collected 2.1 million unique URLs the models produced. A large share pointed nowhere real: one model generated non-existent domains 44.6 percent of the time, the other 27.5 percent. After filtering, the team counted roughly 250,000 unique unregistered domains, real addresses that an attacker could buy for a few dollars each and stand up as malicious infrastructure. Of the URLs that were already live, 13,229 (0.61 percent) were confirmed malicious and another 41,313 (1.90 percent) were high-risk. Among the confirmed-malicious set, Unit 42 attributes 67.2 percent to malware distribution and 16.2 percent to phishing.
Every figure above is Unit 42's, drawn from two specific models over one measurement window. The point is not the exact percentages. It is the order of magnitude: a quarter of a million fake but plausible addresses, tied to real brands, sitting unclaimed and waiting.
Why a domain nobody has registered beats your blocklist
Reputation is the quiet assumption under most web filtering. A URL filter, a secure web gateway, and a threat-intelligence feed all decide whether to block a site largely on its history: how old it is, who else flagged it, what it has hosted before. A phantom domain has no history. The moment an attacker registers it, it is a clean address with zero prior signals, and it stays clean until someone gets hurt and reports it. Unit 42 calls this the zero-reputation bypass, and it is the whole game. Your protective layer is structurally blind during the exact window that matters.
That reframes phantom squatting as a detection problem wearing a domain costume. You cannot block your way out of it after the fact, because "after the fact" is too late by definition. The defensible move is to watch for the registration of addresses that resemble your brand, and to treat any URL a model emits as untrusted input rather than a fact.
Predictable is the weapon, not random
Classic typosquatting bets on human error: an attacker registers gooogle.com and hopes a fraction of people fat-finger the third "o". Phantom squatting removes the guessing. The model reliably, repeatably tells the attacker which fake domains it will recommend, and it says the same thing to everyone who asks. A hallucination that reproduces across sessions and users is not noise; it is a targeting list. The attacker does not have to predict what a person mistypes. The AI publishes the answer for them, at scale, one brand at a time.
This is why the same trust shift we have flagged in other AI-agent stories keeps producing new attack surface. We wrote about prompt injection turning an AI assistant into a delivery path, and about AI coding agents running commands a human would have caught. Phantom squatting is the same failure from a different angle: the model is confidently authoritative about something it never verified, and a human or a pipeline acts on it.
Agentic AI is the accelerant
A person who lands on a suspicious site has a chance to notice the address looks off. An autonomous agent does not. Give an AI agent a task that involves fetching a documentation page, calling an API, or resolving a vendor portal, and it will follow the URL the model produced without a second thought. There is no human in the loop to see that the domain is one character of plausible fiction. As agents move into build pipelines and production workflows, phantom squatting scales from a phishing nuisance into a supply chain compromise, the same way a poisoned dependency does. This is the connective thread with package-level supply chain attacks: in both cases something trusted quietly points at attacker-controlled code.
The window is real, and it has already been used
Unit 42 did not stop at theory. It documents live cases where attackers weaponized hallucinated domains against real brands, and measures the lag from a phantom domain first appearing in model output to a working malicious site going live. That lag ran 18 to 51 days across the cases it tracked, a metric the team calls the adversarial exploitation window (AEW). In one, a postal-service e-commerce brand's hallucinated domain was registered weeks later and dressed up as a phishing kit, complete with a live scraper of the real storefront and a Telegram-based command-and-control (C2) channel for stolen credentials. In another, a fake address tied to a national postal service turned into a pixel-accurate clone that pushed a malicious Android app. Banking and retail brands appear in the same set.
The AEW cuts both ways. It is how long an attacker waits, but it is also your budget. If you can learn which phantom domains a model emits for your brand, you have weeks, not minutes, to get ahead of registration.
Close the window before the domain goes live
Phantom squatting does not have a patch, because there is no single vulnerable product. It is a property of how models generate text. Defense is about narrowing the window and refusing to trust unverified output.
-
Treat model-generated URLs as untrusted. In any agentic workflow, do not let an agent auto-follow a link the model produced. Resolve it against an allowlist of known-good domains, or require the address to have real registration history before a pipeline touches it.
-
Map your own phantom surface. Probe the AI assistants your customers actually use with prompts about your brand, products, and support portals, and record the non-existent domains they suggest. Those are your watchlist candidates, and you can build them before an attacker does.
-
Monitor registration streams for brand-adjacent domains. Newly registered domains that echo your brand deserve a look the day they appear, not the day a customer reports a scam. The zero-reputation window is precisely when reputation tools cannot help you.
-
Hunt for the tells of a live clone. A phishing kit that scrapes your storefront in real time, or a fake app signed by an unknown developer, leaves indicators. Watch for outbound traffic to freshly registered look-alikes and for brand assets loading from domains you do not own.
The uncomfortable part of this research is that it does not describe a bug that gets fixed and forgotten. As long as models answer confidently without checking, they will keep manufacturing plausible addresses out of thin air, and someone will keep buying them. The defenders who come out ahead are the ones who stop treating an AI's output as a source of truth and start treating it as one more untrusted input.