July 2, 2026

    May 2026 Product Releases

    This month's releases include new detections for Google Workspace account compromise, Windows symbolic link abuse, and Bitdefender threat events. We also improved the Entra ID Conditional Access Policy detection to reduce false positives from Microsoft's background policy management. On the integration side, we fixed several issues in the Autotask two-way PSA integration, improved PSA setup error messaging, and added organization name context to case notifications.

    Detection Updates

    Log Type Details
    Google Workspace NEW - Google Workspace: Account Suspended for Spam or Hijacking

    This new detection identifies Google Workspace audit events indicating an account has been suspended due to spam activity or account hijacking. These events fire when Google's automated systems detect abuse, providing early visibility into compromised or weaponized accounts in your Google Workspace environment.

    Default state: Enabled
    Windows NEW - Symbolic Link or Junction Creation to System Path

    This new detection identifies use of the mklink command to create symbolic links or directory junctions pointing to or from Windows system paths such as System32, Program Files, SysWOW64, and ProgramData. Attackers use this technique to redirect execution paths, masquerade as trusted system processes, or bypass security tools that whitelist processes running from known system locations.

    Default state: Enabled
    Bitdefender NEW - Bitdefender: Antimalware Threat Detected on Host

    This new detection identifies Bitdefender antimalware log events indicating a threat was detected and action was taken on an endpoint. It surfaces Bitdefender threat activity within Blumira findings, giving teams with Bitdefender deployed a centralized view of endpoint security events alongside other log sources.

    Default state: Disabled
    Microsoft 365 UPDATE - Entra ID: Conditional Access Policy Added/Modified/Deleted

    We improved detection logic to reduce false positives generated by Microsoft Managed Policy changes, which were surfacing legitimate admin account names as the apparent actors behind automatic background policy updates.

    Bug Fixes and Improvements

    Bug Fixes 

    • Autotask PSA - Integration Setup Stuck State: We fixed a bug where a failed Autotask API call during MSP PSA integration setup could leave the integration in a broken state that prevented any future configuration changes.
    • Autotask PSA - API Rate Limiting: We fixed a bug where a per-instance field info cache caused some Autotask API calls to exceed thread thresholds and fail.
    • Autotask UI - ConnectWise References: We fixed lingering references to ConnectWise that appeared in the Autotask PSA configuration interface.
    • Agent Configuration - Description Field: We fixed a bug where the Agent Detail description field was only visible on certain license editions.

    Improvements 

    • Autotask PSA - Setup Error Messages: We improved error messages during MSP PSA integration setup, making it easier to diagnose connection and permission failures.
    • Case Notifications - Org Name: Case notifications now include the organization name, helping teams in multi-tenant environments quickly identify which organization triggered an alert.

    April 2026 Release Notes

    In case you missed the April updates, you can find and review those notes here.

    Amanda Berlin

    Amanda Berlin is the Senior Product Manager of Cybersecurity at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An...

    More from the blog

    View All Posts