instead of attacking the target directly, the malicious actor may go through a third party, like a food vendor that they order from or something. Then, from their interactions with that trusted vendor, they gain access to the systems they originally targetted

sometimes, to keep the attack hidden, they will only target a specific type of visitor to the infected website, like people from government addresses.