Palo Alto Networks Unit 42 fed 913 real brand names into two large language models, ran 685,339 adversarial prompts, and collected 2.1 million URLs the models offered up. More than 809,000 of those addresses, roughly 37 percent, pointed at domains that do not exist. After deduplication, about 250,000 were unique, unregistered, and available to anyone with a credit card. The models were composing plausible web addresses and presenting them to users as real.
Attackers are already harvesting them. Unit 42 documented a case it calls Montana Empire: on March 8, 2026 its prediction system generated a hallucinated address resembling a national postal service's e-commerce site. Twenty-three days later, on March 31, someone registered that exact domain and stood up a credential-harvesting page behind it, built with an AI coding assistant and wired to a Telegram channel for the stolen logins. Unit 42 named the pattern phantom squatting: register the domains a model reliably invents, then let the model deliver the victims. The full writeup is in the Unit 42 research.
Here is who this reaches. If anyone on your team pastes a link a chatbot handed them, runs an install command an AI assistant suggested, or - the sharper edge - operates an autonomous agent that fetches URLs a model produced with no human reading them first, phantom squatting is your problem too. That describes most organizations in 2026. The short list of the exempt: teams with no AI assistants in the workflow, no agentic automation touching the network, and a firm rule that nobody acts on a machine-suggested address. If that is genuinely you, this one can wait. For everyone else the exposure is new, and it grows with every agent you deploy.
What Unit 42 actually measured
The scale is the story. The 913 brands spanned technology, finance, healthcare, e-commerce, government, gambling, and logistics, so this is not a quirk of one sector. Across the 2.1 million URLs the two models produced, 809,455 (37.28 percent) resolved to non-existent domains. Unit 42 flagged 13,229 of the generated URLs as already confirmed malicious by threat-intelligence feeds and another 41,313 as high-risk. Strip out duplicates from the non-existent set and roughly 250,000 unique phantom domains were left sitting unregistered and open for the taking.
The two models behaved differently, and neither was safe. The production-optimized enterprise model hallucinated a domain in 44.6 percent of its 1.2 million URLs; the low-latency frontier model did so 27.5 percent of the time. Both produced confirmed-malicious URLs at a similar rate, around 0.6 percent. There is no "safe" model to pick out of this. The fabrication is a property of how these systems generate text, and it held across both vendors Unit 42 tested.
Two facts turn that into a business for attackers. The hallucinations repeat: ask about the same brand a dozen ways and a model tends to converge on the same handful of invented addresses, so an attacker can farm a target's phantom domains in bulk. And the delivery channel is a trusted one. The victim did not mistype anything; an assistant they rely on told them where to go.
Typosquatting bets on your typo. Phantom squatting bets on the model's.
Domain-abuse defenses were built for a different threat. Typosquatting and combosquatting rely on human error: a fat-fingered gooogle.com, a plausible paypal-secure.com that a hurried user might accept. Defenders answer that with lookalike-domain monitoring keyed to their own brand string.
Phantom squatting steps around all of it. The address is a fresh string the model composed: a support subdomain, a docs portal, a download mirror that sounds right and never existed. Brand-lookalike monitoring will not flag it, because it need not contain your brand at all. And because the referrer is an AI assistant, the user lands with their guard down, having been "helped" to the page.
The same root cause has a package-registry cousin. Slopsquatting - a term for hallucinated package names - works the same way: a model suggests a pip install or npm install for a library that does not exist, an attacker publishes malware under that name, and the next developer who trusts the suggestion pulls it into a build. Unit 42 frames phantom squatting and slopsquatting as one technique aimed at two namespaces: the open web and the software registry.
Where agentic AI removes the last human check
A person in the loop is a weak control, but it is a control. Some fraction of users will notice that secure-login-portal-updates.com looks off and stop. Autonomous agents do not pause to be suspicious. An agent told to "download the vendor's CLI" or "check the docs at the URL you find" will resolve, fetch, and sometimes execute whatever the model produced, with no decision point between the hallucination and the action.
The Montana Empire timeline shows attackers have room to work: 23 days passed between Unit 42 predicting the phantom domain and an adversary registering it. Unit 42 calls that gap the adversarial exploitation window, and it is long enough to industrialize. Predict the domains a model emits for high-value brands, register the promising ones, and wait for traffic that a growing population of agents will send on their own. As agent deployments climb, the distance between a model's confident mistake and a compromised host keeps shrinking. This is the trajectory to plan for: the human who might catch the bad address is being designed out of more workflows every quarter.
Close the gap you can actually close
None of this waits on the model vendors to stop hallucinating; that behavior will be with us for a while. The useful controls sit on your side of the wire.
Block or sandbox newly registered domains
Phantom domains are, by definition, freshly registered - the attacker buys them after the model starts emitting them. Newly-registered-domain (NRD) feeds are widely available, and most DNS filters and secure web gateways can block or divert any domain registered in the last 30 days. That single control breaks the Montana Empire pattern, where the malicious site went live weeks after the phantom address first appeared.
Do not let agents fetch arbitrary URLs
Any agent with network access needs an egress allowlist, not open web reach. When an agent must retrieve something, the destination should be a domain you have vetted, not one the model produced mid-task. Where open retrieval is unavoidable, gate it: resolve the host, check its registration age, and refuse anything that does not resolve or was registered days ago. A registration-age check is a few lines against RDAP, the key-free replacement for WHOIS:
#!/usr/bin/env bash
# Flag any domain an AI assistant or agent handed you if it was
# registered recently. RDAP is the modern WHOIS replacement, no key needed.
check_domain_age() {
local d="$1" created age_days
created=$(curl -s "https://rdap.org/domain/${d}" \
| jq -r '.events[]? | select(.eventAction=="registration") | .eventDate' \
| head -n1)
if [ -z "$created" ] || [ "$created" = "null" ]; then
echo "NO RDAP RECORD (unregistered): ${d} <-- a phantom domain looks like this"
return
fi
age_days=$(( ( $(date +%s) - $(date -d "$created" +%s) ) / 86400 ))
echo "${d} registered ${created} (${age_days} days old)"
[ "$age_days" -lt 30 ] && echo " WARNING: newly registered - do not auto-trust"
}
check_domain_age "$1"
Treat AI-suggested installs like untrusted input
Every AI-suggested pip, npm, go get, or curl | bash command is a claim that a package or host exists and is legitimate. Verify before you run it: confirm the package is real and maintained, pin exact versions in a lockfile, and require hashes (npm ci, pip install --require-hashes) so a name a model invented cannot silently resolve to someone's malware.
Hunt the logs for AI-referred traffic to fresh domains
Detection catches what the preventive controls miss. Query your DNS and secure-web-gateway logs for outbound connections to domains registered in the last 30 days, and pay closest attention to sessions whose referrer is an AI assistant host or whose source is an agent service account. A managed workstation reaching a two-week-old domain right after a chatbot session, or an automation account resolving a host outside its allowlist, is the signal worth an alert. Feed your NRD list into the SIEM so those first-contact events surface the same day, not in a monthly review.
Enforce the gate in code, not in a policy nobody reads
If you build agents, make the check mandatory rather than trusting an operator to remember it. A small guard that refuses unresolved or very fresh domains stops the autonomous path before it starts:
import socket, datetime, requests
def domain_is_trustworthy(host, min_age_days=30):
"""Return (ok, reason) for a model-produced host before an agent uses it."""
try:
socket.gethostbyname(host) # phantom domains often do not resolve
except socket.gaierror:
return False, "does not resolve"
try:
data = requests.get(f"https://rdap.org/domain/{host}", timeout=5).json()
reg = next(e["eventDate"] for e in data["events"]
if e["eventAction"] == "registration")
age = (datetime.datetime.now(datetime.timezone.utc)
- datetime.datetime.fromisoformat(reg)).days
except Exception:
return False, "no registration record"
if age < min_age_days:
return False, f"registered {age} days ago"
return True, f"{age} days old"
# ok, why = domain_is_trustworthy("secure-login-portal-updates.com")
# if not ok: refuse the fetch and log it
Refuse the domains your model just invented
The change that matters is a posture one: stop granting trust to a URL or an install command because an AI assistant produced it. Block newly registered domains at the resolver, put an egress allowlist and a domain-age gate in front of every agent, and pin what your builds pull. Do those four things and the 250,000 phantom domains sitting out there become traffic you drop instead of a page your people log into. The models will keep inventing addresses; your network decides whether that invention reaches anyone. Cross-checked reporting on the campaign and the technique is available from The Hacker News and Dark Reading.
Not sure where AI-suggested links and code enter your environment?
We map how teams actually use AI assistants and agents - the points where an autonomous fetch or an AI-suggested install becomes an entry point - and help you put guardrails around them. Book a session to review your exposure with our team.
