July 2, 2026

    June 2026 Product Releases

    This month's releases include five new detections across Microsoft 365 and Windows — covering password spraying via legacy authentication, Teams helpdesk impersonation, PsExec lateral movement correlation, Bomgar remote access tool abuse, and EDR process execution from user directories. We overhauled the Connection from Public IP detection suite in phase one of a three-phase rewrite, broadened ScreenConnect coverage to catch process name variants observed in ransomware incidents, and reduced false positives in the PowerShell Suspicious Parent Process and Endpoint TOR Traffic rules. We also shipped HTTP Ingestion for general availability, added Zscaler Client Connector log parsing, and improved CEF log field coverage.

    Detection Updates

    Log Type Details
    Microsoft 365
    NEW - Microsoft 365: Excessive Failed BAV2ROPC Authentication Attempts

    This new detection identifies excessive failed authentication attempts using the BAV2ROPC OAuth flow, a legacy Microsoft authentication protocol that does not enforce multi-factor authentication. Attackers use this protocol to conduct password spraying campaigns against Microsoft 365 accounts, bypassing MFA controls that would otherwise block credential guessing.

    Default state: Disabled
    Microsoft 365
    NEW - Microsoft 365: Teams Helpdesk Impersonation from External Tenant

    This new detection identifies Microsoft Teams messages from external tenant accounts using helpdesk-related display names. This social engineering technique is used by attackers to impersonate internal IT support staff, build trust with the target, and direct victims to grant remote access via tools like Quick Assist.

    Default state: Enabled
    Windows
    NEW - PsExec Service Execution Correlation

    This new detection correlates PsExec source and target host activity by combining Blumira Agent network connection data with Windows Event ID 7045 (new service installed). By joining both signals, it provides stronger evidence of lateral movement than either indicator alone.

    Default state: Enabled
    Windows
    NEW - Remote Access Tool: Bomgar

    This new detection identifies execution of Bomgar remote access software. While Bomgar is used legitimately by vendors and managed service providers, threat actors have abused it to maintain unauthorized persistent access to compromised systems.

    Default state: Disabled
    Windows
    NEW - EDR Process Executed from User Directory

    This new detection identifies EDR processes executing from user directories such as the Downloads folder rather than their standard installation paths. Attackers impersonate or abuse security tool processes as part of post-compromise activity, including disabling backup services and creating security tool exclusions.

    Default state: Enabled
    Windows / HTTP Access
    UPDATE - Connection from Public IP Detection Suite (Phase 1)

    As part of a planned three-phase overhaul, we renamed the Connection from Public IP detections and fixed a false positive condition in the TCP/445 rule where connections established and immediately torn down within the same minute were still generating findings.
    Windows
    UPDATE - Remote Access Tool: ScreenConnect

    We expanded the ScreenConnect detection to include additional process name variants observed in recent ransomware incidents, broadening coverage beyond the previously matched process name.
    Windows
    UPDATE - PowerShell: Execution from Suspicious Parent Process

    We updated detection logic to exclude Dell Command Update activity, which was generating false positives for organizations using Dell endpoint management tools.
    Windows
    UPDATE - Endpoint TOR Traffic

    We added the command field to matched evidence in Endpoint TOR Traffic findings and added detection filters to reduce false positives from Windows Time Service (W32Time) activity, which was being flagged due to its use of IP address ranges that overlap with TOR exit nodes.

    Bug Fixes and Improvements

    Bug Fixes 

    • Report Builder - Data Source Selection: We fixed a bug where customers were unable to select data sources in Report Builder.
    • Organization Editing - Invalid Domain: We fixed a bug where organizations with an invalid or missing domain entry could not be updated in the Blumira application, and improved the error message when this condition occurs.
    • Agent Seat Count: We fixed an error that occurred when updating the agent seat count on organizations with no allocated group seats.

    Improvements 

    • HTTP Ingestion - General Availability: HTTP Ingestion is now available across all supported license tiers. Customers can configure HTTP-based log source integrations directly in Settings to send logs from compatible vendors to Blumira without deploying an agent.
    • PSA Note Sync - Author Attribution: Notes synced from PSA platforms to Blumira now display the PSA user who wrote the note as the author, rather than a generic Blumira system entry.
    • Zscaler Client Connector: Blumira now parses firewall logs from Zscaler Client Connector, adding support for organizations using Zscaler's network security platform.
    • CEF Log Parsing: Improved parsing now captures previously missing key fields in CEF (Common Event Format) log sources, enabling more complete filtering, reporting, and investigation for CEF-based integrations.

    May 2026 Release Notes

    In case you missed the May updates, you can find and review those notes here.

    Amanda Berlin

    Amanda Berlin is the Senior Product Manager of Cybersecurity at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An...

    More from the blog

    View All Posts