ThreatCluster

Helix Extortion Group Targets Enterprises with MFA Abuse and SharePoint Data Theft

First seen 9 Jul 2026, 10:55 UTC GbhackersCybersecuritynews 79% similarity 67

Article Content

Browse articles
ThreatCluster

The Helix extortion group has emerged, targeting enterprises by exploiting identity-focused entry techniques and automated SharePoint exfiltration. Their attack methods include voice phishing (vishing) and device-code phishing to capture session tokens, allowing them to bypass Conditional Access controls. The group rapidly registers MFA for persistence and conducts scripted enumeration and bulk downloads of SharePoint content. This campaign primarily affects Microsoft 365 users, with a focus on stealing large volumes of corporate files from SharePoint libraries. The operation is notable for its reliance on social engineering tactics rather than traditional malware. The current status indicates ongoing activity as the group continues to execute its campaigns against enterprises. Specific numbers and CVEs were not disclosed in the articles, but the impact is significant given the reliance on identity and cloud services.

Key Points: • Helix group uses vishing and device-code phishing to target Microsoft 365 users. • The operation focuses on exfiltrating data from SharePoint libraries. • Attackers bypass security measures like Conditional Access through social engineering.

ThreatCluster AI

Timeline

2026-07-09
Helix extortion group reported
Newly identified Helix group exploits identity techniques and SharePoint for data theft targeting enterprises.
Gbhackers
2026-07-09
Attack methods detailed
Helix employs vishing and device-code phishing to steal corporate files from Microsoft 365 users.
Cybersecuritynews

Community

Browse all →