5 min read By Excello Mail Team

Phantom Squatting: When AI Chatbots Recommend Your Brand's Fake Domain

Palo Alto Networks Unit 42 found that AI models routinely hallucinate plausible but nonexistent domains for real brands, and attackers are now registering those exact domains before the companies do, creating a phishing delivery channel that never touches an inbox and that DMARC alone cannot see.

Researchers at Palo Alto Networks’ Unit 42 have documented an attack pattern that skips the inbox entirely. Large language models, it turns out, are remarkably consistent about inventing web addresses that sound exactly right for a real company but that no one has ever registered. Attackers have started registering those invented addresses first, then waiting for an AI assistant to recommend the fake domain to a real user as though it were the genuine company site. Unit 42 named the pattern phantom squatting, and the scale they found makes it hard to dismiss as a theoretical risk.

A New Kind of Squatting

Typosquatting has always relied on human error: a user fat-fingers a URL and lands on a lookalike domain built to catch the mistake. Phantom squatting flips that dependency. Instead of waiting for a person to mistype something, it waits for a model to confidently invent something. Unit 42 queried two major LLM families with 685,339 adversarial prompts covering 913 global brands and collected 2.1 million resulting URLs. Of those, 809,455 pointed to domains that simply do not exist, invented wholesale by the model as a plausible-sounding answer. Roughly 250,000 of those hallucinated domains were still unregistered at the time of the research, sitting open for anyone to claim, and 13,229 of the ones that had already been registered were flagged as malicious by existing threat intelligence feeds.

Registered, Weaponized, and Delivered by a Trusted Voice

The most striking finding is not that hallucinations happen, but that attackers are watching for them and moving fast. Unit 42’s own monitoring pipeline flagged a hallucinated postal-service e-commerce domain as high risk 23 days before an attacker registered it and built a full phishing kit on it, an operation researchers dubbed Montana Empire, complete with a pixel-perfect brand clone, a fabricated 4.8-star rating, and a false claim of two million users, all wrapped around a malicious Android app push. In a separate case, a hallucinated domain sat flagged for 51 days before registration. That window, 18 to 51 days between a domain being invented by a model and being claimed by an attacker, is the gap defenders have to work with.

Once weaponized, the delivery mechanism is what makes this genuinely different from a standard phishing campaign. There is no email to filter, no attachment to sandbox, no sender to authenticate. A user, or increasingly an autonomous AI agent acting on a user’s behalf, asks an assistant for the login page, the support portal, or the vendor’s payment address, and receives the hallucinated domain back as a confident, authoritative answer. The recommendation arrives wrapped in the credibility of a tool the user already trusts, and it never has to pass through a mail gateway, a spam filter, or an authentication check of any kind.

Where This Leaves DMARC

This is worth being direct about: DMARC has nothing to say here, and it was never going to. DMARC, SPF, and DKIM authenticate the channel a message travels through, confirming that mail claiming to be from your domain actually left infrastructure you authorized. Phantom squatting does not send mail from your domain. It sends nothing at all in the traditional sense. An AI assistant simply states a URL as fact, and the fabricated domain inherits trust the attacker never had to earn through a spoofed From header or a look-alike sender address.

What this exposes is a gap next to email authentication rather than inside it. The same brand-protection discipline that DMARC enforcement depends on, knowing every domain and subdomain associated with your name, monitoring for registrations that mimic your brand, and closing gaps before an attacker finds them, now has to extend past domains a human might mistype and into domains a model might invent. A company can have DMARC at full enforcement across every domain it owns and still lose a customer to a domain it never registered, recommended by a chatbot the customer trusted more than a search result.

What Defenders Can Actually Do

Query the models yourself before an attacker does. Ask the major AI assistants what your login page, support portal, and payment address are, repeatedly and from different angles. The domains they hallucinate today are the domains most likely to be weaponized against you in the 18-to-51-day window Unit 42 documented. Registering the ones that matter closes that window before it opens.

Feed hallucinated variants into your existing domain-watch tooling. Most brand-protection and DMARC platforms already monitor for lookalike registrations built around typosquatting patterns. Add the AI-hallucinated strings to that same watchlist so a new registration triggers the same alert a typosquat would.

Keep BIMI and verified branding current on every domain you do control. It will not stop a hallucinated domain from existing, but it gives your legitimate domains a visual signal in the inbox that a freshly registered impersonator cannot easily replicate, reinforcing which domain is actually yours across every channel that still runs through email.

Treat AI-tool output as an untrusted third-party recommendation, inside your own organization too. Employees using AI assistants to find vendor portals or partner payment pages are exposed to the same hallucination risk as customers. A quick verification habit, checking a URL against a bookmarked or previously confirmed address before entering credentials or payment details, blunts the entire attack regardless of which brand gets hallucinated.

The Takeaway

Phantom squatting is a reminder that brand impersonation defense can no longer stop at the edges of email. DMARC, SPF, and DKIM remain essential for the channel they were built to secure, and full enforcement should stay the baseline for every domain a business owns. But attackers have found a delivery path that never asks permission from any of those protocols, because it never touches them. Closing that gap means watching what the models say about your brand with the same discipline you already apply to watching what mail claims to be from it.


Strong DMARC enforcement is still the foundation every other brand-protection layer builds on, closing the door on spoofed mail while your team watches the newer channels attackers are exploring. Sign up for free to Excello Mail to get full visibility and enforcement across every domain and subdomain you own.