Helix Group Leverages Vishing and MFA Abuse for SharePoint Data Extortion
A new data-extortion group, dubbed **Helix**, has emerged, employing sophisticated identity-focused tactics to infiltrate **SharePoint** environments. Utilizing vishing, device code phishing, and multi-factor authentication abuse, the group aims to steal sensitive data for ransomware and potential sale on the dark web. Cybersecurity firm **ReliaQuest** has identified **Helix**'s unique fingerprints and potential ties to established threat actors.

The **Helix** group initiates its attacks through voice phishing (**vishing**), often impersonating managers or spoofing caller IDs to appear legitimate. The primary goal is to trick employees into device-code phishing schemes, thereby gaining unauthorized access to their accounts.
Once inside, **Helix** operators swiftly register new multi-factor authenticator apps to maintain persistence. They then proceed to browse and enumerate **SharePoint** content before exfiltrating files.
According to researchers at **ReliaQuest**, the stolen data is typically used for extortion, with **Helix** threatening to publish it unless a ransom is paid. Alternatively, the data may be sold to other cybercriminals.
### Helix's Technical Fingerprint
The most distinctive technical fingerprint of **Helix** is its consistent **SharePoint** exfiltration behavior. **ReliaQuest** notes: "Automated enumeration and collection were identical across incidents and represent the most reliable fingerprint. Enumeration ran from *179.43.185[.]230* using the `python-requests/2.28.1` user-agent."
Operators issue `contentclass:STS_Site` and wildcard (`*`) **SharePoint** searches to inventory all accessible content, followed by bulk downloads from the same IP address and user-agent.
### Links to ShinyHunters and BlackFile
**ReliaQuest** posits that **Helix** may have emerged from the **ShinyHunters** and **BlackFile** data extortion groups, citing similarities in techniques and infrastructure, although a definitive connection remains unconfirmed.
In recent months, organizations such as **Medtronic**, **Nissan**, **NAIC**, **Kodak**, **Infinite Campus**, and **Nottingham University** have confirmed data breaches previously claimed by **ShinyHunters**.
The now-defunct **BlackFile** data extortion group, which ceased operations in April, also targeted organizations using identity-based attacks and social engineering.
**ReliaQuest**'s research indicates that one **Helix** attack utilized an exfiltration IP address within the same autonomous system (**AS 51852**) that hosted a confirmed **BlackFile** IP address, suggesting shared resources. The timing of **Helix**'s emergence shortly after **BlackFile**'s shutdown further hints at a potential continuation of the extinct operation. **ReliaQuest** also mentions **Pink** and **Redact** as potential successors.
The link to **ShinyHunters** is reinforced by **Helix**'s similar social engineering playbook, which includes **vishing**, employee impersonation, targeting **Microsoft 365**, and stealing **SharePoint** data. Another clue is the use of the **NICENIC** registrar, observed in past **ShinyHunters** campaigns.
### Defensive Measures
To mitigate **Helix** attacks, **ReliaQuest** recommends disabling device code authentication wherever feasible. Additional recommendations include restricting **SharePoint** access to only managed devices and blocking exchanges with newly registered domains, which **Helix** typically employs in its attacks.