A newly identified cybercrime group called Helix is targeting Microsoft SharePoint environments. The attackers rely on voice phishing, device-code phishing, and multi-factor authentication (MFA) abuse to steal sensitive company data.
Researchers say the group focuses on compromising Microsoft 365 accounts first. It then steals SharePoint files and uses the data to extort victims. In some cases, the stolen information may also be sold to other cybercriminals.
Helix Uses Vishing to Gain Access
According to cybersecurity firm ReliaQuest, Helix starts its attacks with voice phishing, also known as vishing.
The attackers call employees while pretending to be company managers. They may use the manager’s real name. They may also spoof the caller ID to appear legitimate.
The goal is simple. Convince the victim to complete a device-code phishing request.
If successful, the attackers gain access to the employee’s Microsoft 365 account. They do not need to steal the user’s password.
SharePoint Data Is the Main Target
After compromising an account, Helix moves quickly.
The attackers register a new MFA authenticator app to maintain access. They then search the SharePoint environment for valuable files.
Next, they download large amounts of data.
ReliaQuest says this SharePoint activity is the group’s strongest technical fingerprint.
Researchers observed automated SharePoint searches from the IP address 179.43.185[.]230. The activity used the python-requests/2.28.1 user agent.
The attackers searched for accessible SharePoint sites using the contentclass:STS_Site query. They also used wildcard searches to locate additional content before downloading files in bulk.
Researchers See Links to Older Groups
ReliaQuest believes Helix may be connected to the now-defunct BlackFile group. It may also share ties with ShinyHunters. However, the researchers say they have not confirmed either connection.
Several organizations have recently confirmed breaches previously claimed by ShinyHunters. These include Medtronic, Nissan, NAIC, Kodak, Infinite Campus, and The University of Nottingham.
BlackFile shut down in April. Before that, the group relied heavily on identity-based attacks and social engineering.
One Helix campaign used an exfiltration server hosted in the same autonomous system (AS51852) as a confirmed BlackFile server. That overlap suggests the groups may share infrastructure.
Researchers also point out that Helix appeared shortly after BlackFile disappeared. Other possible successors include Pink and Redact.
Helix Shares Tactics With ShinyHunters
ReliaQuest also found several similarities between Helix and ShinyHunters.
Both groups use voice phishing and employee impersonation. Both target Microsoft 365 users. Both focus on stealing SharePoint data.
Researchers also found that Helix uses the NICENIC domain registrar. ShinyHunters has used the same registrar in previous campaigns.
Although these similarities are notable, they do not prove the groups are directly connected.
How to Defend Against Helix
ReliaQuest recommends disabling device-code authentication wherever possible. The researchers describe this as the most effective defense against Helix attacks.
Organizations should also restrict SharePoint access to managed devices. In addition, they should block communications with newly registered domains. Helix frequently uses these domains during phishing campaigns.
Security teams should also monitor Microsoft 365 authentication activity. Early detection can help stop attackers before they steal sensitive SharePoint data.


0 responses to “Helix Vishing Group Targets SharePoint Data in New Extortion Campaigns”