Friday 5 October 11:00 - 11:30, Red roomKarishma Sanghvi (Microsoft) Joe Blackbird (Microsoft)This paper discusses efforts to identify malware authors through Windows Defender telemetry to improve customer protection. Malware authors have been difficult to identify through telemetry since they are careful to avoid detection while developing and testing malware. However, as our cloud-based protection improves, malware authors may be forced to test their malware against our cloud-based solution, giving us an opportunity to identify them during their development phase.The discussion outlines the process of identifying a sample of malware authors' devices through heuristic telemetry patterns, device-based information, and details on suspicious files originating from devices. From this sample, we generalize the attributes of malware authors' devices to find new devices as they come online. The aim of this is to have a dynamic, more flexible approach for classifying malware author devices.The paper will conclude with a test of the additional protection value that we gain with this classifier. Using experimental cloud-based protection, we will quantify the impact of blocking the files originating from the flagged machines. Furthermore, we will explore the result of taking action based on this classifier, since malware authors are sure to react to detection. Our aim is to put these malware authors in 'starvation mode' by determining the optimal number of files we can block without them disappearing and forcing us to find them again.