Cybersecurity Expert Warns: Trusted Application Trap Putting Even Secure Companies at Risk

Why the most dangerous cyber attacks now hide inside legitimate business tools

Key Points:

• Cybersecurity expert reveals how attackers increasingly exploit trusted, legitimate tools to bypass traditional security controls
• Expert explains tactics, including PowerShell abuse, remote desktop misuse, and compromised browser extensions
• Expert warns that signature-based detection alone cannot identify these attacks because they use software businesses already trust

Modern cyber attacks rarely announce themselves with suspicious executables or obvious malware anymore. Instead, attackers have found a more effective route: hiding their activities inside the very tools that businesses use every day. PowerShell scripts, remote desktop protocols, and administrative utilities (all legitimate applications that security teams have approved) are now being weaponised at an alarming rate.

High-profile breaches in recent years, such as the SolarWinds supply chain attack and the Kaseya ransomware incident, have demonstrated how devastating this approach can be. When attackers compromise trusted software, they inherit its permissions, its access, and most importantly, its invisibility to traditional security controls.

Danny Mitchell, Cybersecurity Writer at Heimdal, a unified AI-powered cybersecurity platform provider, explains why this shift is forcing organisations to rethink their entire approach to threat detection.

Traditional security focused on blocking known bad actors, says Mitchell. But when the bad actor is using PowerShell, a tool every Windows administrator needs, your antivirus doesn’t know whether to block it or allow it. That’s exactly what attackers are counting on.

Below, Mitchell breaks down how these attacks work and what organisations can do to close this dangerous blind spot.

How Attackers Abuse Legitimate Tools

Mitchell outlines the most commonly exploited trusted applications and explains why they’re so effective at evading detection.

PowerShell and Command-Line Abuse

PowerShell, Microsoft’s powerful scripting language, was designed to help IT administrators automate tasks and manage systems efficiently. However, its capabilities make it equally valuable to attackers.

PowerShell gives you direct access to Windows system functions, Mitchell explains. An attacker can use it to download malware, disable security features, extract credentials, and move laterally through a network, all the while appearing to be legitimate administrative activity.

Because PowerShell is pre-installed on Windows systems and frequently used by IT teams, blocking it entirely isn’t realistic for most organisations. Attackers exploit this necessity, knowing their PowerShell-based attacks will likely bypass signature-based antivirus solutions.

Command-line interfaces like CMD and newer tools like Windows Terminal provide similar opportunities. Attackers can execute reconnaissance commands, manipulate files, and establish persistence mechanisms using tools that security systems are configured to trust.

Remote Desktop Misuse

Remote Desktop Protocol (RDP) and similar remote access tools have become indispensable for distributed workforces. Unfortunately, they’ve also become one of the most exploited attack vectors.

Mitchell points out that once an attacker gains RDP credentials, whether through phishing, credential stuffing, or purchasing them on the dark web, they can access systems exactly as a legitimate user would.

The problem with RDP abuse is that it looks completely normal, says Mitchell. The attacker logs in with valid credentials, often from a residential IP address, using compromised home computers as proxies. Traditional security tools see an authorised user logging in and performing their job.

Attackers use RDP access to install ransomware, exfiltrate data, and create backdoor accounts for persistent access. The median time attackers spend inside a network before detection is measured in weeks, giving them ample opportunity to achieve their objectives.

Browser Extensions and Admin Tools

Browser extensions represent another trusted application category that attackers increasingly target. Many organisations rely on productivity extensions, password managers, and collaboration tools that request extensive permissions.

A malicious browser extension can capture everything you type, every site you visit, and every credential you enter, Mitchell warns. If an attacker compromises a legitimate extension through a supply chain attack, they inherit access to thousands or millions of users instantly.

Administrative tools like remote monitoring and management (RMM) software face similar risks. These tools require elevated privileges to function, and when compromised, they provide attackers with ready-made infrastructure for deploying ransomware or stealing data.

Mitchell emphasises that these attacks evade signature-based detection because there’s no malicious file to identify. The applications themselves are legitimate; only their use is malicious.

How Businesses Can Close the Trusted App Blind Spot

Mitchell shares practical strategies organisations can implement to detect and prevent abuse of trusted applications without disrupting legitimate operations.

Privileged Access Management

Implementing privileged access management (PAM) controls who can use powerful tools and under what circumstances.

Not every employee needs PowerShell access, Mitchell notes. By restricting administrative tools to only those who genuinely need them, you dramatically reduce your attack surface.

PAM solutions can enforce just-in-time access, requiring approval for elevated privileges and automatically revoking them after a set period. This approach limits the window of opportunity for attackers to exploit compromised credentials.

Behaviour-Based Detection

Since signature-based detection fails against trusted application abuse, organisations must shift to behaviour-based approaches that identify anomalous activity patterns.

You need systems that understand what normal looks like for each user and application, says Mitchell. If someone who’s never used PowerShell suddenly starts running scripts at 3am, that should trigger an alert regardless of whether the tool itself is trusted.

Modern endpoint detection and response (EDR) platforms analyse factors like execution context, parent-child process relationships, network connections, and data access patterns to identify suspicious behaviour.

DNS and Process Monitoring

Mitchell recommends implementing DNS security and detailed process monitoring as additional detection layers.

Many PowerShell attacks involve downloading additional payloads from external servers, Mitchell explains. DNS monitoring can catch those connections to known malicious domains or newly registered domains that fit attacker patterns.

Process monitoring tracks which applications launch other applications, helping security teams spot unusual chains of execution that indicate compromise.

Youre not aiming to block every use of legitimate tools, Mitchell concludes. Instead, youre trying to gain visibility into how they’re being used, so you can distinguish between an administrator doing their job and an attacker hiding in plain sight.