New Helix vishing group emerges in SharePoint data theft attacks
The Helix group is a new data-extortion threat actor using voice phishing (vishing), device code phishing, and multi-factor authentication abuse to steal data from SharePoint environments. They impersonate managers via phone calls to trick employees into revealing device codes, then register new MFA authenticators for persistent access. Once inside, they enumerate and exfiltrate SharePoint data for extortion or sale. Helix is linked to previous groups like ShinyHunters and BlackFile based on tactics and infrastructure. Defensive measures include disabling device code authentication, restricting SharePoint access to managed devices, and blocking interactions with newly registered domains.
AI Analysis
Technical Summary
Helix is a data-extortion group employing identity-focused social engineering techniques such as vishing and device code phishing to compromise SharePoint accounts. Initial access is gained by impersonating managers in phone calls to employees, leading to MFA abuse by registering new authenticators. The group then performs automated SharePoint enumeration and bulk data exfiltration using consistent technical fingerprints (e.g., python-requests/2.28.1 user-agent from a specific IP). Researchers at ReliaQuest link Helix to former groups ShinyHunters and BlackFile based on shared infrastructure and tactics. The stolen data is used for ransom extortion or sold to other criminals. Recommended defenses include disabling device code authentication, limiting SharePoint access to managed devices, and blocking exchanges with newly registered domains.
Potential Impact
Helix's attacks result in unauthorized access to SharePoint environments, leading to large-scale data theft. The stolen data is leveraged for extortion by threatening publication or sold to other cybercriminals. This compromises organizational confidentiality and can cause financial and reputational damage. The abuse of MFA and social engineering techniques bypasses common authentication protections, increasing the risk of successful breaches.
Mitigation Recommendations
No official patch is applicable as this is a social engineering and authentication abuse threat. The highest-impact mitigation is to disable device code authentication where possible, as recommended by researchers. Additional measures include restricting SharePoint access to managed devices only and blocking communications with newly registered domains commonly used by Helix. Organizations should also educate employees about vishing and impersonation tactics to reduce susceptibility.
New Helix vishing group emerges in SharePoint data theft attacks
Description
The Helix group is a new data-extortion threat actor using voice phishing (vishing), device code phishing, and multi-factor authentication abuse to steal data from SharePoint environments. They impersonate managers via phone calls to trick employees into revealing device codes, then register new MFA authenticators for persistent access. Once inside, they enumerate and exfiltrate SharePoint data for extortion or sale. Helix is linked to previous groups like ShinyHunters and BlackFile based on tactics and infrastructure. Defensive measures include disabling device code authentication, restricting SharePoint access to managed devices, and blocking interactions with newly registered domains.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Helix is a data-extortion group employing identity-focused social engineering techniques such as vishing and device code phishing to compromise SharePoint accounts. Initial access is gained by impersonating managers in phone calls to employees, leading to MFA abuse by registering new authenticators. The group then performs automated SharePoint enumeration and bulk data exfiltration using consistent technical fingerprints (e.g., python-requests/2.28.1 user-agent from a specific IP). Researchers at ReliaQuest link Helix to former groups ShinyHunters and BlackFile based on shared infrastructure and tactics. The stolen data is used for ransom extortion or sold to other criminals. Recommended defenses include disabling device code authentication, limiting SharePoint access to managed devices, and blocking exchanges with newly registered domains.
Potential Impact
Helix's attacks result in unauthorized access to SharePoint environments, leading to large-scale data theft. The stolen data is leveraged for extortion by threatening publication or sold to other cybercriminals. This compromises organizational confidentiality and can cause financial and reputational damage. The abuse of MFA and social engineering techniques bypasses common authentication protections, increasing the risk of successful breaches.
Mitigation Recommendations
No official patch is applicable as this is a social engineering and authentication abuse threat. The highest-impact mitigation is to disable device code authentication where possible, as recommended by researchers. Additional measures include restricting SharePoint access to managed devices only and blocking communications with newly registered domains commonly used by Helix. Organizations should also educate employees about vishing and impersonation tactics to reduce susceptibility.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/new-helix-vishing-group-emerges-in-sharepoint-data-theft-attacks/","fetched":true,"fetchedAt":"2026-07-09T17:17:39.125Z","wordCount":714}
Threat ID: 6a4fd7b368715ace43c4365e
Added to database: 07/09/2026, 17:17:39 UTC
Last enriched: 07/09/2026, 17:17:44 UTC
Last updated: 07/10/2026, 03:34:51 UTC
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.