Helix Data Extortion Group Uses Vishing and Device Code Phishing to Steal SharePoint Data
Helix has surfaced as a fast-moving data extortion group that targets Microsoft 365 users through phone scams and cloud-focused phishing instead of traditional malware drops.
Attackers are after access first, then large volumes of corporate files, with SharePoint libraries becoming a central prize in multiple incidents.
The campaign stands out because it leans on identity abuse rather than noisy ransomware behavior.
Victims can be talked into entering a device code, giving the threat actor a valid session that bypasses many of the warning signs defenders expect from password theft.
Analysts at ReliaQuest said the activity reflects a broader shift toward identity-driven intrusion chains, and they tied Helix to a repeatable playbook seen across several cases.
ReliaQuest said in a report shared with Cyber Security News (CSN) that the group used shared infrastructure and the same core methods across different targets.
Researchers believe Helix likely emerged from the same data extortion ecosystem that has already splintered into smaller successor operations, which helps explain the overlap in hosting, lures, and post-compromise behavior.
The result is a threat that can move quickly, stay quiet, and steal sensitive cloud data before many organizations realize an account has been hijacked.
Helix Data Extortion Group Uses Vishing and Device Code Phishing
Helix starts by learning enough about a target to sound believable on the phone.
In at least one confirmed case, the caller impersonated the victim’s manager and walked the user through entering a device code in Chrome, allowing the attacker to capture an authenticated session without ever asking for the password.
That approach matters because many employees do not see it as handing over credentials, even though the end result can be the same.
ReliaQuest found that Helix also registered target-specific subdomains under a phishing domain, used residential proxy infrastructure matched to the victim’s city, and rotated through numerous source addresses to make sign-ins look more normal.
Once inside, the operator typically registered a new MFA authenticator on the compromised account within minutes, creating a simple but durable foothold.
That is why the most effective defenses in the report are also the most direct: disable device code authentication where possible, restrict sensitive SaaS access to managed endpoints, and block newly registered domains before they can be used as fresh lures.
SharePoint as the payout
After persistence was established, Helix shifted to discovery and collection inside Microsoft 365, with SharePoint repeatedly serving as the main source of high-value files.
In some incidents the move from access to bulk exfiltration happened in under an hour, while in others the attacker spent days quietly reading email, reviewing site pages, and preparing for a larger download.
ReliaQuest described a pattern of manual browsing followed by automated SharePoint enumeration and mass downloads from a hosted IP address used only for exfiltration.
That detail is important because it shows Helix is not simply grabbing whatever it can see immediately, but is organizing the theft to collect as much data as possible with as little friction as possible.
The report also notes that standard response steps such as password resets, session revocation, and account disablement can still work, but only if they happen quickly and across both cloud and on-premises identity systems at the same time.
In one case, the attacker even tried to re-register MFA and reset the password soon after the account was disabled, showing how narrow the response window can be.
For defenders, the lesson is less about one new brand name and more about a maturing extortion model built on trust, timing, and familiar cloud services.
Helix shows how a well-rehearsed phone call and a single device code can open the door to a quiet, large-scale SharePoint theft that leaves very little malware behind for responders to chase.
Organizations that still treat SharePoint as a low-risk collaboration tool may be underestimating how valuable it looks to extortion crews.
When a single compromised identity can expose contracts, internal plans, legal records, and customer data, the cloud repository becomes both the target and the pressure point.
Indicators of compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 179.43.185.230 | Exfiltration IP |
| IP Address | 179.43.185.226 | IP previously associated with BlackFile |
| Domain | oskeysync.com | Phishing domain |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.
The post Helix Data Extortion Group Uses Vishing and Device Code Phishing to Steal SharePoint Data appeared first on Cyber Security News.
Tushar Subhra Dutta
Go to cyber-security-news