According to Infosecurity Magazine, a Bitdefender analysis of 700,000 high-severity cyber-attacks reveals that 84% now leverage legitimate tools already installed in environments through Living-off-the-Land techniques. The research shows attackers are increasingly using trusted applications like Microsoft Office and PowerShell rather than traditional malware. In the UK, 64% of cybersecurity and IT leaders recognize they need to reduce their attack surface by disabling unnecessary tools according to the 2025 Bitdefender Cybersecurity Assessment. This shift represents a sophisticated evolution where threat actors disguise malicious activity within normal business operations. The approach makes detection extremely challenging since security teams are essentially looking for malicious behavior within tools that are supposed to be there.
Sponsored content — provided for informational and promotional purposes.
The Living-off-the-Land Reality
Here’s the thing about this approach – it’s brilliant in its simplicity. Attackers aren’t bringing their own tools to the party anymore. They’re using what’s already on your systems. Think about that finance employee who regularly opens invoices. An attacker sends what looks like a perfectly normal email with an invoice attachment, but it contains a malicious VBA macro. When the employee enables content – something they do dozens of times daily – the attacker gets access without installing any traditional malware. They’ve turned Microsoft Office, arguably the most trusted business application worldwide, into their attack vector.
The PowerShell Problem
And then there’s PowerShell. This is where things get really interesting. PowerShell is an incredibly powerful Windows administration tool that gives users deep access to system functions. Attackers love it for exactly the same reasons IT admins do. Once they gain initial access through something like that Office macro, they can use PowerShell to run malicious commands that look identical to routine administrative activity. The scary part? There are nearly two hundred legitimate tools that threat actors frequently leverage for attacks. Your entire software stack has become potential weaponry.
Why Traditional Approaches Fail
So why can’t we just block these tools? Well, that’s the million-dollar question. Traditional security relies on blanket policies – either everyone gets access or no one does. But that creates an impossible choice. If you block PowerShell completely, your IT team can’t do their jobs. If you leave it wide open, attackers have a playground. It’s the classic security vs productivity trade-off, and honestly, most organizations err on the side of productivity because business needs to keep moving. The result? Attackers exploit the gap.
The Behavioral Learning Solution
Now there’s a different approach emerging. Bitdefender’s GravityZone PHASR uses proactive hardening powered by behavioral learning. Basically, it learns how each user, tool, and device normally behaves across hundreds of machine learning models. It can identify who actually needs PowerShell and how they use it, then disable or restrict it for employees who don’t need it while allowing legitimate activity for admins who do. The system automatically adjusts defenses based on actual usage patterns rather than one-size-fits-all policies.
What’s really clever about this approach is how it frustrates attackers. According to the 2025 Bitdefender Cybersecurity Assessment, threat actors typically study security solutions and test attacks against them in lab environments. But with proactive hardening, every organization’s defense posture becomes unique. An attack that works in testing might fail in production because the tool behavior and restrictions are tailored to that specific environment. It’s like trying to pick a lock that changes its mechanism for every door.
Lady Macbeth’s “look like the innocent flower” advice has never been more relevant. But with these new behavioral approaches, organizations might finally have a way to spot the serpents hiding in their own gardens.
