Shakespeare penned Macbeth in the early 1600s, but the advice on deception that Lady Macbeth delivers in Act 1 has found new life in today’s cyber landscape. “Look like the innocent flower, but be the serpent under it,” she warns. In modern terms, disguise your malicious intent within something that appears harmless or even welcome.
That’s exactly what today’s cyber threat actors are doing. Instead of relying on traditional malware (the serpent), they’re increasingly turning to legitimate, everyday tools (the flowers) already trusted within an organization’s environment. It’s a sophisticated evolution and one that exploits the tools and applications enterprises depend on most.
This shift in attacker tactics is both rapid and significant. A Bitdefender analysis of 700,000 high-severity cyber-attacks found that more than 8-in-10 attacks (84%) now leverage legitimate tools already installed in the environment through Living-off-the-Land (LotL) techniques. Unfortunately, detecting malicious actions within legitimate tools is extremely challenging.
How These Attacks Work
Consider your finance department. Attackers know finance staff regularly open invoices, so they send an email that seems perfectly normal:
“Thank you for the opportunity. My invoice is attached. Please let me know if there are any issues.”
Inside that attachment, however, lurks a malicious VBA macro. When an unsuspecting employee enables the content, the code executes and grants the attacker access to the system, all without installing traditional malware. The attacker has exploited a legitimate Microsoft Office feature.
Often, that macro triggers another legitimate tool: PowerShell, a powerful Windows utility used by administrators for automation and network configuration. Because PowerShell has deep access to critical functions, it’s also a favorite tool for cybercriminals. Once hijacked, it allows attackers to run malicious commands disguised as routine administrative activity, leaving few traces behind.
The Rise of Legitimate Tool-Enabled Attacks
At most organizations, there are nearly two hundred legitimate tools that threat actors are frequently leveraging for attacks. This means the attack surface has expanded—again—and in a new direction. Recent research suggests organizational leaders may be catching on. More than 6-in-10 (64%) cybersecurity and IT leaders in the UK say they need to “reduce their attack surface by disabling unnecessary tools or applications,” according to the 2025 Bitdefender Cybersecurity Assessment. But how should they do it?
Preemptively Reducing the Attack Surface
Traditional approaches to attack surface reduction rely on blanket policies which block or restrict legitimate tools for everyone. But one-size-fits-all security rarely works. If policies are too restrictive, employees can’t do their jobs; too lenient, and attackers exploit the gap.
As technology continues to evolve, there’s now a better option: proactive hardening powered by behavioral learning. This is the foundation of Bitdefender GravityZone PHASR (Proactive Hardening and Attack Surface Reduction), an advanced capability that continuously learns how each user, tool, and device behaves. Using hundreds of specialized machine learning models, PHASR monitors specific attack vectors and automatically adjusts defenses.
For example, it can identify who in your organization uses PowerShell and how they use it. It disables or restricts PowerShell for employees who don’t need it, allowing legitimate activity for admins who do, and blocking high-risk actions frequently used by attackers. The result: optimal productivity, minimal exposure, and a dramatically smaller attack surface.
Another Benefit of Proactive Hardening
Proactive hardening, which is essentially about tailored security, frustrates threat actors who rely on a uniform security approach throughout the organization. One of the first things threat actors often do is try to understand what security solution you have; the next thing is to buy that solution and test various attacks against it. Once attackers figure out an evasion technique, they are able to initiate the attack. However, with proactive hardening, you can reduce the probability that an attack that works one way in a test environment will also work the same way in the real world.
A Tragic End for Deceptive Tactics
Lady Macbeth’s counsel, “Look like the innocent flower, but be the serpent under it,” has become the guiding philosophy of modern threat actors. But with proactive hardening and dynamic attack surface reduction, organizations can turn the tables. These effective attack methods may soon face a downfall worthy of Shakespeare himself, a fitting end that proactively strengthens defenses and protects organizations.