Helix Extortion Group Targets Enterprises with MFA Abuse and SharePoint Data Theft
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
The Helix extortion group has emerged, targeting enterprises by exploiting identity-focused entry techniques and automated SharePoint exfiltration. Their attack methods include voice phishing (vishing) and device-code phishing to capture session tokens, allowing them to bypass Conditional Access controls. The group rapidly registers MFA for persistence and conducts scripted enumeration and bulk downloads of SharePoint content. This campaign primarily affects Microsoft 365 users, with a focus on stealing large volumes of corporate files from SharePoint libraries. The operation is notable for its reliance on social engineering tactics rather than traditional malware. The current status indicates ongoing activity as the group continues to execute its campaigns against enterprises. Specific numbers and CVEs were not disclosed in the articles, but the impact is significant given the reliance on identity and cloud services.
Key Points: • Helix group uses vishing and device-code phishing to target Microsoft 365 users. • The operation focuses on exfiltrating data from SharePoint libraries. • Attackers bypass security measures like Conditional Access through social engineering.