Geoff McDonald, Microsoft Moustafa Saleh, Microsoft Bhavna Soman, Microsoft Jugal Parikh, Microsoft Andrea Lelli (MSR) As browser and operating system security have been improving, there has been a rise in conventional malware attacks relying instead on social-engineering based attacks. These socially-engineered attacks often rely on emails containing script-based malware loaders such as JavaScript, Visual Basic Script, or HTA files. When run, these scripts will be hosted with a Windows script execution engine and usually proceeds to download and run malware such as ransomware. Versions of Windows 10 have behavior instrumentation of some of the script execution engines in place, which passes behavior during execution to the default installed security product for scanning through the AMSI interface. In this presentation, we will present how we use this feature combined with machine learning in Windows Defender AV to protect against these attacks by pairing lightweight client behavior models with heavier real-time cloud models.