A computer-implemented method for reevaluating apparently benign behavior on computing devices may include (1) receiving a plurality of reports from a plurality of computing systems that indicate that an attack that targeted each of the systems reached a specific stage on each system, (2) identifying behavioral data that includes, for each computing system within the plurality, a plurality of activities that the computing system observed before the attack reached the specific stage on the computing system, wherein the plurality of activities are of a type of activity that is relevant to detecting a prior stage of the attack, (3) analyzing the behavioral data to correlate the attack with at least one activity observed before the attack reached the specific stage, and (4) determining that the activity is suspect based at least in part on correlating the attack with the activity. Various other methods, systems, and computer-readable media are also disclosed.