Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

New Helix vishing group emerges in SharePoint data theft attacks

0
Medium
Phishing
Published: 07/09/2026 (07/09/2026, 17:08:29 UTC)
Source: Bleeping Computer

Description

The Helix group is a new data-extortion threat actor using voice phishing (vishing), device code phishing, and multi-factor authentication abuse to steal data from SharePoint environments. They impersonate managers via phone calls to trick employees into revealing device codes, then register new MFA authenticators for persistent access. Once inside, they enumerate and exfiltrate SharePoint data for extortion or sale. Helix is linked to previous groups like ShinyHunters and BlackFile based on tactics and infrastructure. Defensive measures include disabling device code authentication, restricting SharePoint access to managed devices, and blocking interactions with newly registered domains.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/09/2026, 17:17:44 UTC

Technical Analysis

Helix is a data-extortion group employing identity-focused social engineering techniques such as vishing and device code phishing to compromise SharePoint accounts. Initial access is gained by impersonating managers in phone calls to employees, leading to MFA abuse by registering new authenticators. The group then performs automated SharePoint enumeration and bulk data exfiltration using consistent technical fingerprints (e.g., python-requests/2.28.1 user-agent from a specific IP). Researchers at ReliaQuest link Helix to former groups ShinyHunters and BlackFile based on shared infrastructure and tactics. The stolen data is used for ransom extortion or sold to other criminals. Recommended defenses include disabling device code authentication, limiting SharePoint access to managed devices, and blocking exchanges with newly registered domains.

Potential Impact

Helix's attacks result in unauthorized access to SharePoint environments, leading to large-scale data theft. The stolen data is leveraged for extortion by threatening publication or sold to other cybercriminals. This compromises organizational confidentiality and can cause financial and reputational damage. The abuse of MFA and social engineering techniques bypasses common authentication protections, increasing the risk of successful breaches.

Mitigation Recommendations

No official patch is applicable as this is a social engineering and authentication abuse threat. The highest-impact mitigation is to disable device code authentication where possible, as recommended by researchers. Additional measures include restricting SharePoint access to managed devices only and blocking communications with newly registered domains commonly used by Helix. Organizations should also educate employees about vishing and impersonation tactics to reduce susceptibility.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Article Source
{"url":"https://www.bleepingcomputer.com/news/security/new-helix-vishing-group-emerges-in-sharepoint-data-theft-attacks/","fetched":true,"fetchedAt":"2026-07-09T17:17:39.125Z","wordCount":714}

Threat ID: 6a4fd7b368715ace43c4365e

Added to database: 07/09/2026, 17:17:39 UTC

Last enriched: 07/09/2026, 17:17:44 UTC

Last updated: 07/10/2026, 03:34:51 UTC

Views: 9

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses