Helix Data Extortion Group Targets SharePoint with Vishing and Phishing Tactics

Helix Data Extortion Group Targets SharePoint with Vishing and Phishing Tactics

First seen 9 Jul 2026, 10:55 UTC GbhackersCybersecuritynewsBleepingcomputerFeeds.4Sysopsreliaquest.com 81% similarity 68.0

Article Content

Browse articles
ThreatCluster

A new data extortion group named Helix has emerged, utilizing identity-focused tactics such as vishing and device code phishing to exploit Microsoft 365 environments. The group primarily targets SharePoint, employing social engineering techniques to trick employees into providing access to their accounts. Helix's operations involve spoofing calls from managers to gain trust, followed by phishing schemes to capture session tokens and bypass multi-factor authentication (MFA). Once inside, attackers quickly register new MFA apps for persistence and automate the enumeration and bulk download of SharePoint libraries. The stolen data is then used to extort organizations, threatening to publish or sell the information unless a ransom is paid. Helix appears to have links to the now-defunct BlackFile and ShinyHunters groups, suggesting a continuation of similar tactics. Security experts recommend disabling device code authentication and restricting access to managed devices to mitigate risks.

Key Points: • Helix employs vishing and device code phishing to access Microsoft 365 accounts. • The group targets SharePoint environments, automating data exfiltration processes. • Helix is believed to have connections to the BlackFile and ShinyHunters extortion groups.

ThreatCluster AI

Timeline

2026-07-09
Helix group identified
ReliaQuest reports on Helix's emergence, detailing its tactics and targeting of SharePoint environments.
ReliaQuest
2026-07-09
Vishing attacks reported
Helix uses vishing to impersonate managers and trick employees into providing access credentials.
BleepingComputer
2026-07-09
Data exfiltration methods detailed
Helix's automated enumeration and bulk download of SharePoint content are confirmed as key attack methods.
Gbhackers
2026-07-09
Security recommendations issued
Experts recommend disabling device code authentication and restricting access to managed devices to combat Helix attacks.
BleepingComputer

Community

Browse all →