
A new data-extortion group called Helix is using identity-focused tactics such as voice phishing (vishing), device code phishing, and multi-factor authentication (MFA) abuse to steal data from SharePoint environments.
Initial contact is made through vishing. In some cases, the threat actor called employees while impersonating their manager, using either the manager's name or caller ID spoofing to appear legitimate.
The purpose is to trick the target into device-code phishing schemes to gain access to their accounts.
Once inside, Helix operators quickly register a new multi-factor authenticator app for persistence, then browse and enumerate SharePoint before exfiltrating files.
According to researchers at cybersecurity firm ReliaQuest, the stolen data is typically used to extort victim organizations by threatening to publish it unless a ransom is paid, or it is sold to other cybercriminals.
The SharePoint exfiltration behavior is Helix’s strongest technical fingerprint.
"Automated enumeration and collection were identical across incidents and represent the most reliable fingerprint. Enumeration ran from 179.43.185[.]230 using the python-requests/2.28.1 user-agent," the researchers note.
“The operator issued contentclass:STS_Site and wildcard (*) SharePoint searches to inventory all reachable content, then bulk-downloaded from the same IP and user-agent.”
Links to ShinyHunters and BlackFile
ReliaQuest believes that Helix emerged from the ShinyHunters and BlackFile data extortion groups based on the techniques and infrastructure used, although the researchers did not find a definitive connection.
Over the past month, Medtronic, Nissan, NAIC, Kodak, Infinite Campus, and Nottingham University confirmed data breaches previously claimed by ShinyHunters.
The now defunct BlackFile data extortion group targeted organizations using identity-based attacks and social engineering before ceasing operations in April.
ReliaQuest's research found that one Helix attack used an exfiltration IP address in the same autonomous system (AS 51852) that hosted a confirmed BlackFile IP address, suggesting shared resources.
Additionally, Helix emerging shortly after BlackFile shut down may indicate a potential continuation of the extinct operation. ReliaQuest also mentions Pink and Redact as potential successors.
Concerning the link to ShinyHunters, Helix demonstrates a very similar social engineering playbook, including vishing, employee impersonation, targeting Microsoft 365, and stealing SharePoint data.
A second clue is the use of the NICENIC registrar, which has also been seen in past ShinyHunters campaigns.
As a highest-impact defensive measure against Helix attacks, the researchers recommend that device code authentication be disabled where possible.
Other recommendations include restricting SharePoint access to only managed devices and blocking exchanges with newly registered domains, which Helix typically uses in its attacks.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.










English (US) ·