Bleepingcomputer
Helix Data Extortion Group Targets SharePoint with Vishing and Phishing Tactics
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A new data extortion group named Helix has emerged, utilizing identity-focused tactics such as vishing and device code phishing to exploit Microsoft 365 environments. The group primarily targets SharePoint, employing social engineering techniques to trick employees into providing access to their accounts. Helix's operations involve spoofing calls from managers to gain trust, followed by phishing schemes to capture session tokens and bypass multi-factor authentication (MFA). Once inside, attackers quickly register new MFA apps for persistence and automate the enumeration and bulk download of SharePoint libraries. The stolen data is then used to extort organizations, threatening to publish or sell the information unless a ransom is paid. Helix appears to have links to the now-defunct BlackFile and ShinyHunters groups, suggesting a continuation of similar tactics. Security experts recommend disabling device code authentication and restricting access to managed devices to mitigate risks.
Key Points: • Helix employs vishing and device code phishing to access Microsoft 365 accounts. • The group targets SharePoint environments, automating data exfiltration processes. • Helix is believed to have connections to the BlackFile and ShinyHunters extortion groups.