New Helix vishing group emerges in SharePoint data theft attacks

Jul 09, 2026 - 22:09
0 0
New Helix vishing group emerges in SharePoint data theft attacks

New Helix vishing group emerges in SharePoint data theft attacks

A new data-extortion group called Helix is using identity-focused tactics such as voice phishing (vishing), device code phishing, and multi-factor authentication (MFA) abuse to steal data from SharePoint environments.

Initial contact is made through vishing. In some cases, the threat actor called employees while impersonating their manager, using either the manager's name or caller ID spoofing to appear legitimate.

The purpose is to trick the target into device-code phishing schemes to gain access to their accounts.

image

Once inside, Helix operators quickly register a new multi-factor authenticator app for persistence, then browse and enumerate SharePoint before exfiltrating files.

According to researchers at cybersecurity firm ReliaQuest, the stolen data is typically used to extort victim organizations by threatening to publish it unless a ransom is paid, or it is sold to other cybercriminals.

The SharePoint exfiltration behavior is Helix’s strongest technical fingerprint.

"Automated enumeration and collection were identical across incidents and represent the most reliable fingerprint. Enumeration ran from 179.43.185[.]230 using the python-requests/2.28.1 user-agent," the researchers note.

“The operator issued contentclass:STS_Site and wildcard (*) SharePoint searches to inventory all reachable content, then bulk-downloaded from the same IP and user-agent.”

Links to ShinyHunters and BlackFile

ReliaQuest believes that Helix emerged from the ShinyHunters and BlackFile data extortion groups based on the techniques and infrastructure used, although the researchers did not find a definitive connection.

Over the past month, Medtronic, Nissan, NAIC, Kodak, Infinite Campus, and Nottingham University confirmed data breaches previously claimed by ShinyHunters.

The now defunct BlackFile data extortion group targeted organizations using identity-based attacks and social engineering before ceasing operations in April.

ReliaQuest's research found that one Helix attack used an exfiltration IP address in the same autonomous system (AS 51852) that hosted a confirmed BlackFile IP address, suggesting shared resources.

Additionally, Helix emerging shortly after BlackFile shut down may indicate a potential continuation of the extinct operation. ReliaQuest also mentions Pink and Redact as potential successors.

Concerning the link to ShinyHunters, Helix demonstrates a very similar social engineering playbook, including vishing, employee impersonation, targeting Microsoft 365, and stealing SharePoint data.

A second clue is the use of the NICENIC registrar, which has also been seen in past ShinyHunters campaigns.

As a highest-impact defensive measure against Helix attacks, the researchers recommend that device code authentication be disabled where possible.

Other recommendations include restricting SharePoint access to only managed devices and blocking exchanges with newly registered domains, which Helix typically uses in its attacks.

article image

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

What's Your Reaction?

Like Like 0
Dislike Dislike 0
Love Love 0
Funny Funny 0
Wow Wow 0
Sad Sad 0
Angry Angry 0

Comments (0)

User