drop scheduled task xml · detect spoofed author/uri fields · runs locally
flags fake Microsoft authors · URI/author mismatch · unicode homoglyphs · future dates
heuristic screener · parses artifacts locally · legitimate third-party tasks may use non-Microsoft authors