This month, Blumira introduced several enhancements to streamline detection coverage and user management. We released new detection rules for Microsoft 365, VMware, and Windows to identify risky activity such as secure access pass creation, SSH enablement, and potential exfiltration via WinSCP. We also improved detection logic across multiple rules to reduce false positives and better reflect real-world attacker behavior.
On the platform side, MSP account administrators now have full visibility into users and accounts from a centralized portal, simplifying user management across accounts. Additional bug fixes improved report accuracy, filtering options, PSA ticket handling, and the overall MSP Portal experience.
Feature and Platform Updates
MSP Portal User and Account Administration: We improved how we surface accounts and users to MSP account administrators, to give greater visibility and control over user and account management.
MSP Portal can now be used for nearly all user management from one location, except for MFA resets and configuring notification preferences. Updates include the following:
- All accounts associated with an MSP organization are now visible to MSP administrators in the portal, regardless of the administrator’s role within each account.
- MSP administrators can now see all users associated with their MSP’s sub-accounts directly from the portal.
- When a new sub-account is created, MSP’s top-level account administrators are automatically pre-populated with the Administrator role. Administrators have the option to modify roles during account creation without needing to edit after saving.
- Removing a user’s roles and access from all accounts via the portal permanently deletes the user.
Detection Updates
| Log Type |
Details |
| Microsoft 365 |
NEW - Microsoft 365: Secure Access Pass Created
This detection rule monitors for the administrators creating Temporary Access Passes, which allow users to bypass standard credential checks.
Default state: Enabled |
| VMware |
NEW - VMware: SSH Enabled on Host
This detection rule monitors for when a user enables SSH service on ESXi or vSphere hosts.
Default state: Disabled
|
| Windows |
NEW - Internal Reconnaissance - All Connections - Low Threshold
This detection rule is similar to existing detections that identify internal reconnaissance, but a lower connection count threshold needs to be met before generating a finding.
Default state: Disabled
|
| Windows |
NEW - Potential Exfiltration via WinSCP
This rule detects WinSCP usage patterns consistent with recent attack behaviors, indicating possible data exfiltration.
Default state: Disabled
|
| Windows |
NEW - Remote Access Tool: PDQ Remote Desktop Agent
This detection rule identifies when PDQ’s Remote Desktop Agent launches or is running on an endpoint, which may indicate remote access activity.
Default state: Enabled
|
Microsoft 365
|
UPDATE - Microsoft 365: Suspicious Inbox Rule Creation
We expanded this rule’s coverage to include inbox rules being created to send emails to the “Deleted” folder. |
| Windows |
UPDATE - Compress Data for Exfiltration: Rar
We expanded this rule’s coverage to include new command patterns observed in recent attacks.
|
| Windows |
UPDATE - Named Pipe Client Impersonation
We updated this rule’s detection logic to reduce false positives triggered by safe and legitimate Chrome extensions.
|
Bug Fixes and Improvements
Bug Fixes
- "Blumira 7-Day Summary: Grouped Log Counts by Type" global report: We removed device name and IP information so results would be correctly grouped by type and count only.
- Detection Filters “In” Operator: We fixed a bug that was preventing users from creating detection filters using the “In” operator for some previously unsupported fields.
- Boolean Filtering in Report Builder: We fixed an issue causing problems when using boolean filtering in Report Builder.
- MSP User Management Messaging: We added informational text to the Edit User and Delete User windows for MSP account administrators to clarify when the changes being mades affect only the MSP’s top-level account versus all of the customers' sub-accounts and the MSP’s account.
- MSP Portal Accounts Page: We updated the Accounts page to help users better identify and understand the purpose of the table, so it now displays the heading “Access Management” at the top of the page.
- MSP Portal Bulk Actions Page: We resolved an issue preventing the MSP Portal Bulk Actions page from loading when the parent account has a large number of sub-accounts.
- PSA Workflow Step Missing: We fixed an issue causing the first step of findings workflows to be missing from MSP PSA tickets in ConnectWise-integrated accounts.
- PSA Ticket Resolution Updates: We resolved an issue that was causing PSA tickets to incorrectly update resolutions even though findings were not re-opened, nor were their statuses changed.
- MITRE Tag Display: We improved how long lists of MITRE tags are displayed on findings so tags and surrounding finding details are easier to read.
August 2025 Release Notes
In case you missed the August updates, you can find and review those notes here.
