Adversaries can launch masquerade attacks by stealing user credentials and then logging into a system, pretending to be the compromised user. These attacks are particularly challenging to detect, because the adversaries have the same permissions as the users they impersonate. Previous works have shown that masquerade attacks can be detected by deploying decoy documents on the users' computers. Since decoy documents are, in general, only accessed by attackers, they can be used to detect masquerade attacks. However, previous works lack data generated by real-world adversaries and do not propose detection mechanisms. To address this challenge, we design effective machine learning masquerade attack detection models. The models are trained using data from our previous real-world experiment, which includes real cybercriminal interactions with a honeyfile server. We find that our machine learning models are able to detect masquerade attacks in a real-world scenario with an accuracy of at least 98%. © 2024 IEEE.