The disclosed computer-implemented method may include (i) monitoring computing activity, (ii) detecting, during a specific time period, at least one malicious network connection that involves a computing device within a network, (iii) determining that no malicious network connections involving the computing device were detected during another time period, (iv) identifying a feature of the computing activity that (a) occurred during the specific time period and (b) did not occur during the other time period, (v) determining that the feature is likely indicative of malicious network activity due at least in part to the feature having occurred during the specific time period and not having occurred during the other time period, and in response to detecting the feature at a subsequent point in time, (vi) performing a security action on a subsequent network connection attempted around the subsequent point in time. Various other methods, systems, and computer-readable media are also disclosed.