AI-fueled attacks can transform an innocuous webpage into a customed phishing page. The attacks, revealed in a research from Palo Alto Networks’ Unit 42, are clever in how they combine various obfuscation techniques. The combination though can be lethal, difficult to discover, and represent yet another new offensive front in the use of AI by bad actors to compromise enterprise networks.
The attack starts with an original and ordinary webpage then attackers add client-side API calls to LLMs that can dynamically generate malicious JavaScript code in real time. This polymorphic technique is dangerous for several reasons. First, it can bypass any built-in AI model security guardrails. Second, because it delivers its malware from a trusted LLM domain it may bypass typical network analysis. Without any runtime behavioral analysis screening, it won’t easily be discovered or blocked, because the assembly of the final malware code happens inside a client’s browser and leaves no static payload residue anywhere else in the process.
The analysts at Unit 42 wrote a proof-of-concept code that calls popular LLMs such as DeepSeek and Google’s Gemini into returning the malicious JavaScript. The key step is to use separate prompts to craft AI prompts that translate the malware and describe its functionality as plain text, which then generate different pieces of the actual malware code. The AI model can generate a variety of phishing code content and then assemble the various pieces, both of which make detection more difficult. The assembly, as mentioned, is happening at the very end of this malware supply chain, what SquareX calls a last mile reassembling attack.
While this attack isn’t exactly novel, what is new is the type of code pieces that are generated by the AI that are more difficult to detect. The example used in the PoC described four code fragments in its prompting instructions, each fragment involving a different step in the malware’s operations. Each prompt would return a syntactically unique yet functionally identical variant of the malicious code, according to the analysts. Think of this as the AI version of custom-coded malware that was first invented decades ago by attackers looking to evade static signature detection algorithms.
There are several ways the final malware assembly can be accomplished, including using a backend proxy server or a content delivery network to further hide the malware’s true nature by providing trusted domains to deliver the goods.
“Unfortunately, at least some of this comes back to having the user as the last line of defense,” Allie Mellen, Forrester principal analyst, security and risk, told CSO. “This attack prevents the vendors from using some phishing detection techniques, but many of the core phishing detection capabilities are still relevant here.”
Jess Burn, a Forrester analyst for email security, agrees that there is some protection with existing defensive technologies. However, “even though this attack uses the browser and an LLM to build the phishing page on the fly, the issue is still how users got to that page in the first place. Well-tuned email and collaboration security tools that spot suspicious links, newly registered domains, look‑alike brands, and unusual sender behavior can still stop many of these campaigns at the message layer so the user never clicks through to the ‘magic’ page that turns malicious at runtime.”
Unit 42 of course recommends Palo Alto Networks’ products to help defend against this attack. Other solutions include using secure web gateways as well as secure enterprise browsers that can prevent last mile attacks.