Unit 42, the threat intelligence team at Palo Alto Networks, published new research showing how criminals now use large language models to build phishing attacks inside a victim’s browser. The research explains that attackers no longer need to send ready made phishing emails or host obvious fake login pages.
In this method, a webpage first looks harmless. It loads with no visible malicious code and no links linked to crime. Once the page opens inside a browser, it makes a request to a trusted LLM service and asks for code that will later act as a phishing page.
Unit 42 explained that attackers write prompts that describe what the malicious code should do. The LLM returns JavaScript code in text form. The browser then assembles and runs this code instantly, turning a safe looking page into a phishing page built for that single visitor.
The research says this technique lets criminals avoid older checks that scan webpages before they load. Since the code does not exist until the page runs, security tools that rely on stored patterns struggle to catch it.
Why Does This Method Evade Detection So Well?
Unit 42 said every visit produces a unique version of the phishing code. The LLM creates a new variant each time, with different wording and structure but the same outcome. This makes blocklists and static signatures ineffective.
The malicious content also arrives from trusted LLM service domains. Many workplaces allow traffic from these domains, so the browser receives the code without raising alarms. The report said this traffic blends in with everyday corporate use of AI tools.
Another factor is in how the code hides in plain text. The JavaScript starts life as a text prompt rather than executable code. Traditional network tools do not treat text prompts as a threat. The attack only appears once the browser converts the text into running code.
Unit 42 said runtime assembly already appears in 36% of malicious webpages detected daily by Palo Alto Networks. The use of LLMs adds a new level of this that now allows attackers to customise pages to location, language or email address without leaving traces behind.
More from Artificial Intelligence
What Does The Research Show In Practice?
The Unit 42 team built a proof of concept using a known phishing framework called LogoKit. The original attack used static JavaScript to personalise pages and steal credentials. In the test, the researchers replaced this static code with LLM generated scripts.
The webpage made live requests to a popular LLM service through a browser API. The LLM returned code to impersonate branded login pages and send stolen credentials to an external server. The initial page sent over the network stayed clean.
Unit 42 found that direct requests for harmful actions often failed. Small wording changes worked far better. A request for a generic data sending function passed through filters, while a clear request to steal credentials did not.
Each response from the LLM looked different. The non deterministic output produced constant mutation in the code. The researchers confirmed that the final phishing page worked without errors in most tests.
Unit 42 said this shows how criminals could scale phishing campaigns that adapt instantly to each visitor and avoid early detection.
How Can Organisations Defend Against This Type of Phishing?
The research says the most effective defence sits inside the browser at the moment code runs. Runtime behavioural analysis can spot suspicious actions such as credential capture and data exfiltration when they happen.
Unit 42 also said organisations should limit access to unsanctioned LLM services inside workplaces. This alone will not stop attacks, but it removes an easy delivery channel.
The report adds that stronger safety guardrails inside LLM platforms would slow misuse. The proof of concept showed that prompt wording often slipped past current controls.
Palo Alto Networks said tools such as Advanced URL Filtering and Prisma Browser with Advanced Web Protection help block runtime assembly attacks from the first attempt. These tools analyse behaviour instead of scanning for known code.
