{"id":14176,"date":"2026-07-09T10:03:42","date_gmt":"2026-07-09T10:03:42","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/09\/helix-data-extortion-group-uses-vishing-and-device-code-phishing-to-steal-sharepoint-data\/"},"modified":"2026-07-09T10:03:42","modified_gmt":"2026-07-09T10:03:42","slug":"helix-data-extortion-group-uses-vishing-and-device-code-phishing-to-steal-sharepoint-data","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/09\/helix-data-extortion-group-uses-vishing-and-device-code-phishing-to-steal-sharepoint-data\/","title":{"rendered":"Helix Data Extortion Group Uses Vishing and Device Code Phishing to Steal SharePoint Data"},"content":{"rendered":"<p>    Helix Data Extortion Group Uses Vishing and Device Code Phishing to Steal SharePoint Data<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">Helix has surfaced as a fast-moving data extortion group that targets Microsoft 365 users through phone scams and cloud-focused phishing instead of traditional malware drops. <\/p>\n<p class=\"wp-block-paragraph\">Attackers are after access first, then large volumes of corporate files, with SharePoint libraries becoming a central prize in multiple incidents.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/622ba426-8183-4dfb-8efb-da22925a6b6a\/Helix-Data-Extortion-Group-Uses-Vishing-and-Device-Code-Phishing-to-Steal-SharePoint-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEU5XCG5QV&amp;Signature=QFR8r47zdo6ejor972uG8tIIKro%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICcKRoQsuULvQr6XDQK8fp%2BnJm%2BPj9XySfiRjQlXetp9AiEAixqpJ5L2qfGoXCAULxYgF10YQyiq%2FggMNgDuHYrwXNIq%2FAQImP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDLpiVAVMasuBJhqzACrQBHTPk76KHNwASsGiIdAlbF3%2BNHFhVqWe4%2BoMUvtA%2FWULCNLZosH6dCMOA8YOVtLPU38AVtT6bG%2B7mA6IwqkgCEsbvMJtjMb98y2aJUm5NybaC03BJdtnXWNY4aOvmuXtPy71Nay%2Bs6ekEJk1DFzoHOyiUpeDNWp5wkGATT4zSjw4i1hOXCJS1KRo0QQR9vW%2F%2BCJkEo9Swq1fbWcLk4D4A5etEtsh9%2FvU539zwVVIphL0adHTbMQOXVxAtKmOzxm%2FjHv8BgkVde0%2FXhlVWj3nJFSZpb%2FO5w0ipaZ9toQ4kXs%2FXgaPnyR7Id6bMWOm25rfki%2BOa54vDaHT3AYKKlHR0JStUuuQdD9Wv8JqG%2FjxQGkE13yuTW6D9ponjqvqCwDkmXThgmlA02fRZq9xtzB74wdLaNP4%2FqgHHSWsYMnh1yJSGzZuqFiWVtXgv3idmmr4lYjlcjsfZM4P75otbZ9Wh9AT3LLWomFdpq4Kle1W8pTkGz7Cr2Qpms8mGgSvYpwsIYOvvFk2BSjRZsX4ZC4x3kXPNueZk68U6p3w3M%2BIv4cDJkcdDOhmunsW8YIYi8HEtQ2jEN8grtLiRziyV96bRU9mwEdAWVC3UQ3oDYtu1xBwNSHK7IDsc5GHSzQyju5fKJHJhxY9Bdcf39r4B7%2BirWNpy5E6CWDe5rQ8Uh39StGIyQHs51TTGEcUmSXC1lxVKymIuboYqHo3kTl1Wbknumn3mhNNmMVxlTXSOahSJtWnGj%2FfhuuB6J9KnQds5FJFmzHVi0Gqp8ZjKcWVl371bZAwkJC90gY6mAH%2FF5XuNBe9LAV1o%2B4UQNqXYVmnbNywpIeU4MVU0BqgwhIIGiiT%2BVo9GEiD%2BxTchkfU468oIvjzelKh4NVbA5Wx60J9cmfAhJSucHz83MZcxaEcz8Z18vraOGVTRCuvpkAo9gEy%2B7cUdU0uoyn9f3QgRGy9PXRAi0zL1HVNwzVjkWR6pa8DbqhlUJ%2BQag07ZAf1gGnfpODXEw%3D%3D&amp;Expires=1783584227\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The campaign stands out because it leans on identity abuse rather than noisy ransomware behavior. <\/p>\n<p class=\"wp-block-paragraph\">Victims can be talked into entering a device code, giving the threat actor a valid session that bypasses many of the warning signs defenders expect from password theft.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/622ba426-8183-4dfb-8efb-da22925a6b6a\/Helix-Data-Extortion-Group-Uses-Vishing-and-Device-Code-Phishing-to-Steal-SharePoint-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEU5XCG5QV&amp;Signature=QFR8r47zdo6ejor972uG8tIIKro%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICcKRoQsuULvQr6XDQK8fp%2BnJm%2BPj9XySfiRjQlXetp9AiEAixqpJ5L2qfGoXCAULxYgF10YQyiq%2FggMNgDuHYrwXNIq%2FAQImP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDLpiVAVMasuBJhqzACrQBHTPk76KHNwASsGiIdAlbF3%2BNHFhVqWe4%2BoMUvtA%2FWULCNLZosH6dCMOA8YOVtLPU38AVtT6bG%2B7mA6IwqkgCEsbvMJtjMb98y2aJUm5NybaC03BJdtnXWNY4aOvmuXtPy71Nay%2Bs6ekEJk1DFzoHOyiUpeDNWp5wkGATT4zSjw4i1hOXCJS1KRo0QQR9vW%2F%2BCJkEo9Swq1fbWcLk4D4A5etEtsh9%2FvU539zwVVIphL0adHTbMQOXVxAtKmOzxm%2FjHv8BgkVde0%2FXhlVWj3nJFSZpb%2FO5w0ipaZ9toQ4kXs%2FXgaPnyR7Id6bMWOm25rfki%2BOa54vDaHT3AYKKlHR0JStUuuQdD9Wv8JqG%2FjxQGkE13yuTW6D9ponjqvqCwDkmXThgmlA02fRZq9xtzB74wdLaNP4%2FqgHHSWsYMnh1yJSGzZuqFiWVtXgv3idmmr4lYjlcjsfZM4P75otbZ9Wh9AT3LLWomFdpq4Kle1W8pTkGz7Cr2Qpms8mGgSvYpwsIYOvvFk2BSjRZsX4ZC4x3kXPNueZk68U6p3w3M%2BIv4cDJkcdDOhmunsW8YIYi8HEtQ2jEN8grtLiRziyV96bRU9mwEdAWVC3UQ3oDYtu1xBwNSHK7IDsc5GHSzQyju5fKJHJhxY9Bdcf39r4B7%2BirWNpy5E6CWDe5rQ8Uh39StGIyQHs51TTGEcUmSXC1lxVKymIuboYqHo3kTl1Wbknumn3mhNNmMVxlTXSOahSJtWnGj%2FfhuuB6J9KnQds5FJFmzHVi0Gqp8ZjKcWVl371bZAwkJC90gY6mAH%2FF5XuNBe9LAV1o%2B4UQNqXYVmnbNywpIeU4MVU0BqgwhIIGiiT%2BVo9GEiD%2BxTchkfU468oIvjzelKh4NVbA5Wx60J9cmfAhJSucHz83MZcxaEcz8Z18vraOGVTRCuvpkAo9gEy%2B7cUdU0uoyn9f3QgRGy9PXRAi0zL1HVNwzVjkWR6pa8DbqhlUJ%2BQag07ZAf1gGnfpODXEw%3D%3D&amp;Expires=1783584227\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Analysts at ReliaQuest said the activity reflects a broader shift toward identity-driven intrusion chains, and they tied Helix to a repeatable playbook seen across several cases. <\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/reliaquest.com\/blog\/threat-spotlight-helix-new-name-in-data-extortion-ecosystem\/\" id=\"https:\/\/reliaquest.com\/blog\/threat-spotlight-helix-new-name-in-data-extortion-ecosystem\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">ReliaQuest said in a report<\/a> shared with\u00a0Cyber Security News (CSN)\u00a0that the group used shared infrastructure and the same core methods across different targets.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/622ba426-8183-4dfb-8efb-da22925a6b6a\/Helix-Data-Extortion-Group-Uses-Vishing-and-Device-Code-Phishing-to-Steal-SharePoint-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEU5XCG5QV&amp;Signature=QFR8r47zdo6ejor972uG8tIIKro%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICcKRoQsuULvQr6XDQK8fp%2BnJm%2BPj9XySfiRjQlXetp9AiEAixqpJ5L2qfGoXCAULxYgF10YQyiq%2FggMNgDuHYrwXNIq%2FAQImP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDLpiVAVMasuBJhqzACrQBHTPk76KHNwASsGiIdAlbF3%2BNHFhVqWe4%2BoMUvtA%2FWULCNLZosH6dCMOA8YOVtLPU38AVtT6bG%2B7mA6IwqkgCEsbvMJtjMb98y2aJUm5NybaC03BJdtnXWNY4aOvmuXtPy71Nay%2Bs6ekEJk1DFzoHOyiUpeDNWp5wkGATT4zSjw4i1hOXCJS1KRo0QQR9vW%2F%2BCJkEo9Swq1fbWcLk4D4A5etEtsh9%2FvU539zwVVIphL0adHTbMQOXVxAtKmOzxm%2FjHv8BgkVde0%2FXhlVWj3nJFSZpb%2FO5w0ipaZ9toQ4kXs%2FXgaPnyR7Id6bMWOm25rfki%2BOa54vDaHT3AYKKlHR0JStUuuQdD9Wv8JqG%2FjxQGkE13yuTW6D9ponjqvqCwDkmXThgmlA02fRZq9xtzB74wdLaNP4%2FqgHHSWsYMnh1yJSGzZuqFiWVtXgv3idmmr4lYjlcjsfZM4P75otbZ9Wh9AT3LLWomFdpq4Kle1W8pTkGz7Cr2Qpms8mGgSvYpwsIYOvvFk2BSjRZsX4ZC4x3kXPNueZk68U6p3w3M%2BIv4cDJkcdDOhmunsW8YIYi8HEtQ2jEN8grtLiRziyV96bRU9mwEdAWVC3UQ3oDYtu1xBwNSHK7IDsc5GHSzQyju5fKJHJhxY9Bdcf39r4B7%2BirWNpy5E6CWDe5rQ8Uh39StGIyQHs51TTGEcUmSXC1lxVKymIuboYqHo3kTl1Wbknumn3mhNNmMVxlTXSOahSJtWnGj%2FfhuuB6J9KnQds5FJFmzHVi0Gqp8ZjKcWVl371bZAwkJC90gY6mAH%2FF5XuNBe9LAV1o%2B4UQNqXYVmnbNywpIeU4MVU0BqgwhIIGiiT%2BVo9GEiD%2BxTchkfU468oIvjzelKh4NVbA5Wx60J9cmfAhJSucHz83MZcxaEcz8Z18vraOGVTRCuvpkAo9gEy%2B7cUdU0uoyn9f3QgRGy9PXRAi0zL1HVNwzVjkWR6pa8DbqhlUJ%2BQag07ZAf1gGnfpODXEw%3D%3D&amp;Expires=1783584227\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Researchers believe Helix likely emerged from the same <a href=\"https:\/\/cybersecuritynews.com\/ransomware-groups-intensify-targeting-of-aviation\/\" id=\"149224\" target=\"_blank\" rel=\"noreferrer noopener\">data extortion ecosystem that has already splintered<\/a> into smaller successor operations, which helps explain the overlap in hosting, lures, and post-compromise behavior. <\/p>\n<p class=\"wp-block-paragraph\">The result is a threat that can move quickly, stay quiet, and steal sensitive cloud data before many organizations realize an account has been hijacked.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/622ba426-8183-4dfb-8efb-da22925a6b6a\/Helix-Data-Extortion-Group-Uses-Vishing-and-Device-Code-Phishing-to-Steal-SharePoint-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEU5XCG5QV&amp;Signature=QFR8r47zdo6ejor972uG8tIIKro%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICcKRoQsuULvQr6XDQK8fp%2BnJm%2BPj9XySfiRjQlXetp9AiEAixqpJ5L2qfGoXCAULxYgF10YQyiq%2FggMNgDuHYrwXNIq%2FAQImP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDLpiVAVMasuBJhqzACrQBHTPk76KHNwASsGiIdAlbF3%2BNHFhVqWe4%2BoMUvtA%2FWULCNLZosH6dCMOA8YOVtLPU38AVtT6bG%2B7mA6IwqkgCEsbvMJtjMb98y2aJUm5NybaC03BJdtnXWNY4aOvmuXtPy71Nay%2Bs6ekEJk1DFzoHOyiUpeDNWp5wkGATT4zSjw4i1hOXCJS1KRo0QQR9vW%2F%2BCJkEo9Swq1fbWcLk4D4A5etEtsh9%2FvU539zwVVIphL0adHTbMQOXVxAtKmOzxm%2FjHv8BgkVde0%2FXhlVWj3nJFSZpb%2FO5w0ipaZ9toQ4kXs%2FXgaPnyR7Id6bMWOm25rfki%2BOa54vDaHT3AYKKlHR0JStUuuQdD9Wv8JqG%2FjxQGkE13yuTW6D9ponjqvqCwDkmXThgmlA02fRZq9xtzB74wdLaNP4%2FqgHHSWsYMnh1yJSGzZuqFiWVtXgv3idmmr4lYjlcjsfZM4P75otbZ9Wh9AT3LLWomFdpq4Kle1W8pTkGz7Cr2Qpms8mGgSvYpwsIYOvvFk2BSjRZsX4ZC4x3kXPNueZk68U6p3w3M%2BIv4cDJkcdDOhmunsW8YIYi8HEtQ2jEN8grtLiRziyV96bRU9mwEdAWVC3UQ3oDYtu1xBwNSHK7IDsc5GHSzQyju5fKJHJhxY9Bdcf39r4B7%2BirWNpy5E6CWDe5rQ8Uh39StGIyQHs51TTGEcUmSXC1lxVKymIuboYqHo3kTl1Wbknumn3mhNNmMVxlTXSOahSJtWnGj%2FfhuuB6J9KnQds5FJFmzHVi0Gqp8ZjKcWVl371bZAwkJC90gY6mAH%2FF5XuNBe9LAV1o%2B4UQNqXYVmnbNywpIeU4MVU0BqgwhIIGiiT%2BVo9GEiD%2BxTchkfU468oIvjzelKh4NVbA5Wx60J9cmfAhJSucHz83MZcxaEcz8Z18vraOGVTRCuvpkAo9gEy%2B7cUdU0uoyn9f3QgRGy9PXRAi0zL1HVNwzVjkWR6pa8DbqhlUJ%2BQag07ZAf1gGnfpODXEw%3D%3D&amp;Expires=1783584227\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-helix-data-extortion-group-uses-vishing-and-device-code-phishing\" class=\"wp-block-heading\"><strong>Helix Data Extortion Group Uses Vishing and Device Code Phishing<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">Helix starts by learning enough about a target to sound believable on the phone. <\/p>\n<p class=\"wp-block-paragraph\">In at least one confirmed case, the caller impersonated the victim\u2019s manager and walked the user through entering a device code in Chrome, allowing the attacker to capture an authenticated session without ever asking for the password.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/622ba426-8183-4dfb-8efb-da22925a6b6a\/Helix-Data-Extortion-Group-Uses-Vishing-and-Device-Code-Phishing-to-Steal-SharePoint-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEU5XCG5QV&amp;Signature=QFR8r47zdo6ejor972uG8tIIKro%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICcKRoQsuULvQr6XDQK8fp%2BnJm%2BPj9XySfiRjQlXetp9AiEAixqpJ5L2qfGoXCAULxYgF10YQyiq%2FggMNgDuHYrwXNIq%2FAQImP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDLpiVAVMasuBJhqzACrQBHTPk76KHNwASsGiIdAlbF3%2BNHFhVqWe4%2BoMUvtA%2FWULCNLZosH6dCMOA8YOVtLPU38AVtT6bG%2B7mA6IwqkgCEsbvMJtjMb98y2aJUm5NybaC03BJdtnXWNY4aOvmuXtPy71Nay%2Bs6ekEJk1DFzoHOyiUpeDNWp5wkGATT4zSjw4i1hOXCJS1KRo0QQR9vW%2F%2BCJkEo9Swq1fbWcLk4D4A5etEtsh9%2FvU539zwVVIphL0adHTbMQOXVxAtKmOzxm%2FjHv8BgkVde0%2FXhlVWj3nJFSZpb%2FO5w0ipaZ9toQ4kXs%2FXgaPnyR7Id6bMWOm25rfki%2BOa54vDaHT3AYKKlHR0JStUuuQdD9Wv8JqG%2FjxQGkE13yuTW6D9ponjqvqCwDkmXThgmlA02fRZq9xtzB74wdLaNP4%2FqgHHSWsYMnh1yJSGzZuqFiWVtXgv3idmmr4lYjlcjsfZM4P75otbZ9Wh9AT3LLWomFdpq4Kle1W8pTkGz7Cr2Qpms8mGgSvYpwsIYOvvFk2BSjRZsX4ZC4x3kXPNueZk68U6p3w3M%2BIv4cDJkcdDOhmunsW8YIYi8HEtQ2jEN8grtLiRziyV96bRU9mwEdAWVC3UQ3oDYtu1xBwNSHK7IDsc5GHSzQyju5fKJHJhxY9Bdcf39r4B7%2BirWNpy5E6CWDe5rQ8Uh39StGIyQHs51TTGEcUmSXC1lxVKymIuboYqHo3kTl1Wbknumn3mhNNmMVxlTXSOahSJtWnGj%2FfhuuB6J9KnQds5FJFmzHVi0Gqp8ZjKcWVl371bZAwkJC90gY6mAH%2FF5XuNBe9LAV1o%2B4UQNqXYVmnbNywpIeU4MVU0BqgwhIIGiiT%2BVo9GEiD%2BxTchkfU468oIvjzelKh4NVbA5Wx60J9cmfAhJSucHz83MZcxaEcz8Z18vraOGVTRCuvpkAo9gEy%2B7cUdU0uoyn9f3QgRGy9PXRAi0zL1HVNwzVjkWR6pa8DbqhlUJ%2BQag07ZAf1gGnfpODXEw%3D%3D&amp;Expires=1783584227\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">That approach matters because many employees do not see it as handing over credentials, even though the end result can be the same. <\/p>\n<p class=\"wp-block-paragraph\">ReliaQuest found that Helix also registered target-specific subdomains under a phishing domain, used residential proxy infrastructure matched to the victim\u2019s city, and rotated through numerous source addresses to make sign-ins look more normal.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/622ba426-8183-4dfb-8efb-da22925a6b6a\/Helix-Data-Extortion-Group-Uses-Vishing-and-Device-Code-Phishing-to-Steal-SharePoint-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEU5XCG5QV&amp;Signature=QFR8r47zdo6ejor972uG8tIIKro%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICcKRoQsuULvQr6XDQK8fp%2BnJm%2BPj9XySfiRjQlXetp9AiEAixqpJ5L2qfGoXCAULxYgF10YQyiq%2FggMNgDuHYrwXNIq%2FAQImP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDLpiVAVMasuBJhqzACrQBHTPk76KHNwASsGiIdAlbF3%2BNHFhVqWe4%2BoMUvtA%2FWULCNLZosH6dCMOA8YOVtLPU38AVtT6bG%2B7mA6IwqkgCEsbvMJtjMb98y2aJUm5NybaC03BJdtnXWNY4aOvmuXtPy71Nay%2Bs6ekEJk1DFzoHOyiUpeDNWp5wkGATT4zSjw4i1hOXCJS1KRo0QQR9vW%2F%2BCJkEo9Swq1fbWcLk4D4A5etEtsh9%2FvU539zwVVIphL0adHTbMQOXVxAtKmOzxm%2FjHv8BgkVde0%2FXhlVWj3nJFSZpb%2FO5w0ipaZ9toQ4kXs%2FXgaPnyR7Id6bMWOm25rfki%2BOa54vDaHT3AYKKlHR0JStUuuQdD9Wv8JqG%2FjxQGkE13yuTW6D9ponjqvqCwDkmXThgmlA02fRZq9xtzB74wdLaNP4%2FqgHHSWsYMnh1yJSGzZuqFiWVtXgv3idmmr4lYjlcjsfZM4P75otbZ9Wh9AT3LLWomFdpq4Kle1W8pTkGz7Cr2Qpms8mGgSvYpwsIYOvvFk2BSjRZsX4ZC4x3kXPNueZk68U6p3w3M%2BIv4cDJkcdDOhmunsW8YIYi8HEtQ2jEN8grtLiRziyV96bRU9mwEdAWVC3UQ3oDYtu1xBwNSHK7IDsc5GHSzQyju5fKJHJhxY9Bdcf39r4B7%2BirWNpy5E6CWDe5rQ8Uh39StGIyQHs51TTGEcUmSXC1lxVKymIuboYqHo3kTl1Wbknumn3mhNNmMVxlTXSOahSJtWnGj%2FfhuuB6J9KnQds5FJFmzHVi0Gqp8ZjKcWVl371bZAwkJC90gY6mAH%2FF5XuNBe9LAV1o%2B4UQNqXYVmnbNywpIeU4MVU0BqgwhIIGiiT%2BVo9GEiD%2BxTchkfU468oIvjzelKh4NVbA5Wx60J9cmfAhJSucHz83MZcxaEcz8Z18vraOGVTRCuvpkAo9gEy%2B7cUdU0uoyn9f3QgRGy9PXRAi0zL1HVNwzVjkWR6pa8DbqhlUJ%2BQag07ZAf1gGnfpODXEw%3D%3D&amp;Expires=1783584227\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Once inside, the <a href=\"https:\/\/cybersecuritynews.com\/microsoft-azure-mfa-vulnerability\/\" id=\"86056\" target=\"_blank\" rel=\"noreferrer noopener\">operator typically registered a new MFA authenticator<\/a> on the compromised account within minutes, creating a simple but durable foothold. <\/p>\n<p class=\"wp-block-paragraph\">That is why the most effective defenses in the report are also the most direct: disable device code authentication where possible, restrict sensitive SaaS access to managed endpoints, and block newly registered domains before they can be used as fresh lures.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/622ba426-8183-4dfb-8efb-da22925a6b6a\/Helix-Data-Extortion-Group-Uses-Vishing-and-Device-Code-Phishing-to-Steal-SharePoint-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEU5XCG5QV&amp;Signature=QFR8r47zdo6ejor972uG8tIIKro%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICcKRoQsuULvQr6XDQK8fp%2BnJm%2BPj9XySfiRjQlXetp9AiEAixqpJ5L2qfGoXCAULxYgF10YQyiq%2FggMNgDuHYrwXNIq%2FAQImP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDLpiVAVMasuBJhqzACrQBHTPk76KHNwASsGiIdAlbF3%2BNHFhVqWe4%2BoMUvtA%2FWULCNLZosH6dCMOA8YOVtLPU38AVtT6bG%2B7mA6IwqkgCEsbvMJtjMb98y2aJUm5NybaC03BJdtnXWNY4aOvmuXtPy71Nay%2Bs6ekEJk1DFzoHOyiUpeDNWp5wkGATT4zSjw4i1hOXCJS1KRo0QQR9vW%2F%2BCJkEo9Swq1fbWcLk4D4A5etEtsh9%2FvU539zwVVIphL0adHTbMQOXVxAtKmOzxm%2FjHv8BgkVde0%2FXhlVWj3nJFSZpb%2FO5w0ipaZ9toQ4kXs%2FXgaPnyR7Id6bMWOm25rfki%2BOa54vDaHT3AYKKlHR0JStUuuQdD9Wv8JqG%2FjxQGkE13yuTW6D9ponjqvqCwDkmXThgmlA02fRZq9xtzB74wdLaNP4%2FqgHHSWsYMnh1yJSGzZuqFiWVtXgv3idmmr4lYjlcjsfZM4P75otbZ9Wh9AT3LLWomFdpq4Kle1W8pTkGz7Cr2Qpms8mGgSvYpwsIYOvvFk2BSjRZsX4ZC4x3kXPNueZk68U6p3w3M%2BIv4cDJkcdDOhmunsW8YIYi8HEtQ2jEN8grtLiRziyV96bRU9mwEdAWVC3UQ3oDYtu1xBwNSHK7IDsc5GHSzQyju5fKJHJhxY9Bdcf39r4B7%2BirWNpy5E6CWDe5rQ8Uh39StGIyQHs51TTGEcUmSXC1lxVKymIuboYqHo3kTl1Wbknumn3mhNNmMVxlTXSOahSJtWnGj%2FfhuuB6J9KnQds5FJFmzHVi0Gqp8ZjKcWVl371bZAwkJC90gY6mAH%2FF5XuNBe9LAV1o%2B4UQNqXYVmnbNywpIeU4MVU0BqgwhIIGiiT%2BVo9GEiD%2BxTchkfU468oIvjzelKh4NVbA5Wx60J9cmfAhJSucHz83MZcxaEcz8Z18vraOGVTRCuvpkAo9gEy%2B7cUdU0uoyn9f3QgRGy9PXRAi0zL1HVNwzVjkWR6pa8DbqhlUJ%2BQag07ZAf1gGnfpODXEw%3D%3D&amp;Expires=1783584227\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-sharepoint-as-the-payout\" class=\"wp-block-heading\"><strong>SharePoint as the payout<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">After persistence was established, <a href=\"https:\/\/cybersecuritynews.com\/escalating-iranian-apt-threats-against-critical-infrastructure\/\" id=\"144234\" target=\"_blank\" rel=\"noreferrer noopener\">Helix shifted to discovery and collection<\/a> inside Microsoft 365, with SharePoint repeatedly serving as the main source of high-value files. <\/p>\n<p class=\"wp-block-paragraph\">In some incidents the move from access to bulk exfiltration happened in under an hour, while in others the attacker spent days quietly reading email, reviewing site pages, and preparing for a larger download.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/622ba426-8183-4dfb-8efb-da22925a6b6a\/Helix-Data-Extortion-Group-Uses-Vishing-and-Device-Code-Phishing-to-Steal-SharePoint-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEU5XCG5QV&amp;Signature=QFR8r47zdo6ejor972uG8tIIKro%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICcKRoQsuULvQr6XDQK8fp%2BnJm%2BPj9XySfiRjQlXetp9AiEAixqpJ5L2qfGoXCAULxYgF10YQyiq%2FggMNgDuHYrwXNIq%2FAQImP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDLpiVAVMasuBJhqzACrQBHTPk76KHNwASsGiIdAlbF3%2BNHFhVqWe4%2BoMUvtA%2FWULCNLZosH6dCMOA8YOVtLPU38AVtT6bG%2B7mA6IwqkgCEsbvMJtjMb98y2aJUm5NybaC03BJdtnXWNY4aOvmuXtPy71Nay%2Bs6ekEJk1DFzoHOyiUpeDNWp5wkGATT4zSjw4i1hOXCJS1KRo0QQR9vW%2F%2BCJkEo9Swq1fbWcLk4D4A5etEtsh9%2FvU539zwVVIphL0adHTbMQOXVxAtKmOzxm%2FjHv8BgkVde0%2FXhlVWj3nJFSZpb%2FO5w0ipaZ9toQ4kXs%2FXgaPnyR7Id6bMWOm25rfki%2BOa54vDaHT3AYKKlHR0JStUuuQdD9Wv8JqG%2FjxQGkE13yuTW6D9ponjqvqCwDkmXThgmlA02fRZq9xtzB74wdLaNP4%2FqgHHSWsYMnh1yJSGzZuqFiWVtXgv3idmmr4lYjlcjsfZM4P75otbZ9Wh9AT3LLWomFdpq4Kle1W8pTkGz7Cr2Qpms8mGgSvYpwsIYOvvFk2BSjRZsX4ZC4x3kXPNueZk68U6p3w3M%2BIv4cDJkcdDOhmunsW8YIYi8HEtQ2jEN8grtLiRziyV96bRU9mwEdAWVC3UQ3oDYtu1xBwNSHK7IDsc5GHSzQyju5fKJHJhxY9Bdcf39r4B7%2BirWNpy5E6CWDe5rQ8Uh39StGIyQHs51TTGEcUmSXC1lxVKymIuboYqHo3kTl1Wbknumn3mhNNmMVxlTXSOahSJtWnGj%2FfhuuB6J9KnQds5FJFmzHVi0Gqp8ZjKcWVl371bZAwkJC90gY6mAH%2FF5XuNBe9LAV1o%2B4UQNqXYVmnbNywpIeU4MVU0BqgwhIIGiiT%2BVo9GEiD%2BxTchkfU468oIvjzelKh4NVbA5Wx60J9cmfAhJSucHz83MZcxaEcz8Z18vraOGVTRCuvpkAo9gEy%2B7cUdU0uoyn9f3QgRGy9PXRAi0zL1HVNwzVjkWR6pa8DbqhlUJ%2BQag07ZAf1gGnfpODXEw%3D%3D&amp;Expires=1783584227\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">ReliaQuest described a pattern of manual browsing followed by automated SharePoint enumeration and mass downloads from a hosted IP address used only for exfiltration. <\/p>\n<p class=\"wp-block-paragraph\">That detail is important because it shows Helix is not simply grabbing whatever it can see immediately, but is organizing the theft to collect as much data as possible with as little friction as possible.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/622ba426-8183-4dfb-8efb-da22925a6b6a\/Helix-Data-Extortion-Group-Uses-Vishing-and-Device-Code-Phishing-to-Steal-SharePoint-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEU5XCG5QV&amp;Signature=QFR8r47zdo6ejor972uG8tIIKro%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICcKRoQsuULvQr6XDQK8fp%2BnJm%2BPj9XySfiRjQlXetp9AiEAixqpJ5L2qfGoXCAULxYgF10YQyiq%2FggMNgDuHYrwXNIq%2FAQImP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDLpiVAVMasuBJhqzACrQBHTPk76KHNwASsGiIdAlbF3%2BNHFhVqWe4%2BoMUvtA%2FWULCNLZosH6dCMOA8YOVtLPU38AVtT6bG%2B7mA6IwqkgCEsbvMJtjMb98y2aJUm5NybaC03BJdtnXWNY4aOvmuXtPy71Nay%2Bs6ekEJk1DFzoHOyiUpeDNWp5wkGATT4zSjw4i1hOXCJS1KRo0QQR9vW%2F%2BCJkEo9Swq1fbWcLk4D4A5etEtsh9%2FvU539zwVVIphL0adHTbMQOXVxAtKmOzxm%2FjHv8BgkVde0%2FXhlVWj3nJFSZpb%2FO5w0ipaZ9toQ4kXs%2FXgaPnyR7Id6bMWOm25rfki%2BOa54vDaHT3AYKKlHR0JStUuuQdD9Wv8JqG%2FjxQGkE13yuTW6D9ponjqvqCwDkmXThgmlA02fRZq9xtzB74wdLaNP4%2FqgHHSWsYMnh1yJSGzZuqFiWVtXgv3idmmr4lYjlcjsfZM4P75otbZ9Wh9AT3LLWomFdpq4Kle1W8pTkGz7Cr2Qpms8mGgSvYpwsIYOvvFk2BSjRZsX4ZC4x3kXPNueZk68U6p3w3M%2BIv4cDJkcdDOhmunsW8YIYi8HEtQ2jEN8grtLiRziyV96bRU9mwEdAWVC3UQ3oDYtu1xBwNSHK7IDsc5GHSzQyju5fKJHJhxY9Bdcf39r4B7%2BirWNpy5E6CWDe5rQ8Uh39StGIyQHs51TTGEcUmSXC1lxVKymIuboYqHo3kTl1Wbknumn3mhNNmMVxlTXSOahSJtWnGj%2FfhuuB6J9KnQds5FJFmzHVi0Gqp8ZjKcWVl371bZAwkJC90gY6mAH%2FF5XuNBe9LAV1o%2B4UQNqXYVmnbNywpIeU4MVU0BqgwhIIGiiT%2BVo9GEiD%2BxTchkfU468oIvjzelKh4NVbA5Wx60J9cmfAhJSucHz83MZcxaEcz8Z18vraOGVTRCuvpkAo9gEy%2B7cUdU0uoyn9f3QgRGy9PXRAi0zL1HVNwzVjkWR6pa8DbqhlUJ%2BQag07ZAf1gGnfpODXEw%3D%3D&amp;Expires=1783584227\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The report also notes that standard response steps such as password resets, session revocation, and account disablement can still work, but only if they happen quickly and across both cloud and on-premises identity systems at the same time. <\/p>\n<p class=\"wp-block-paragraph\">In one case, the attacker even tried to re-register MFA and reset the password soon after the account was disabled, showing how narrow the response window can be.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/622ba426-8183-4dfb-8efb-da22925a6b6a\/Helix-Data-Extortion-Group-Uses-Vishing-and-Device-Code-Phishing-to-Steal-SharePoint-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEU5XCG5QV&amp;Signature=QFR8r47zdo6ejor972uG8tIIKro%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICcKRoQsuULvQr6XDQK8fp%2BnJm%2BPj9XySfiRjQlXetp9AiEAixqpJ5L2qfGoXCAULxYgF10YQyiq%2FggMNgDuHYrwXNIq%2FAQImP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDLpiVAVMasuBJhqzACrQBHTPk76KHNwASsGiIdAlbF3%2BNHFhVqWe4%2BoMUvtA%2FWULCNLZosH6dCMOA8YOVtLPU38AVtT6bG%2B7mA6IwqkgCEsbvMJtjMb98y2aJUm5NybaC03BJdtnXWNY4aOvmuXtPy71Nay%2Bs6ekEJk1DFzoHOyiUpeDNWp5wkGATT4zSjw4i1hOXCJS1KRo0QQR9vW%2F%2BCJkEo9Swq1fbWcLk4D4A5etEtsh9%2FvU539zwVVIphL0adHTbMQOXVxAtKmOzxm%2FjHv8BgkVde0%2FXhlVWj3nJFSZpb%2FO5w0ipaZ9toQ4kXs%2FXgaPnyR7Id6bMWOm25rfki%2BOa54vDaHT3AYKKlHR0JStUuuQdD9Wv8JqG%2FjxQGkE13yuTW6D9ponjqvqCwDkmXThgmlA02fRZq9xtzB74wdLaNP4%2FqgHHSWsYMnh1yJSGzZuqFiWVtXgv3idmmr4lYjlcjsfZM4P75otbZ9Wh9AT3LLWomFdpq4Kle1W8pTkGz7Cr2Qpms8mGgSvYpwsIYOvvFk2BSjRZsX4ZC4x3kXPNueZk68U6p3w3M%2BIv4cDJkcdDOhmunsW8YIYi8HEtQ2jEN8grtLiRziyV96bRU9mwEdAWVC3UQ3oDYtu1xBwNSHK7IDsc5GHSzQyju5fKJHJhxY9Bdcf39r4B7%2BirWNpy5E6CWDe5rQ8Uh39StGIyQHs51TTGEcUmSXC1lxVKymIuboYqHo3kTl1Wbknumn3mhNNmMVxlTXSOahSJtWnGj%2FfhuuB6J9KnQds5FJFmzHVi0Gqp8ZjKcWVl371bZAwkJC90gY6mAH%2FF5XuNBe9LAV1o%2B4UQNqXYVmnbNywpIeU4MVU0BqgwhIIGiiT%2BVo9GEiD%2BxTchkfU468oIvjzelKh4NVbA5Wx60J9cmfAhJSucHz83MZcxaEcz8Z18vraOGVTRCuvpkAo9gEy%2B7cUdU0uoyn9f3QgRGy9PXRAi0zL1HVNwzVjkWR6pa8DbqhlUJ%2BQag07ZAf1gGnfpODXEw%3D%3D&amp;Expires=1783584227\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">For defenders, the lesson is less about one new brand name and more about a maturing extortion model built on trust, timing, and familiar cloud services. <\/p>\n<p class=\"wp-block-paragraph\">Helix shows how a well-rehearsed phone call and a single device code can open the door to a quiet, large-scale SharePoint theft that leaves very <a href=\"https:\/\/cybersecuritynews.com\/malware-analysis\/\" id=\"82355\">little malware behind for responders to chase<\/a>.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/622ba426-8183-4dfb-8efb-da22925a6b6a\/Helix-Data-Extortion-Group-Uses-Vishing-and-Device-Code-Phishing-to-Steal-SharePoint-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEU5XCG5QV&amp;Signature=QFR8r47zdo6ejor972uG8tIIKro%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICcKRoQsuULvQr6XDQK8fp%2BnJm%2BPj9XySfiRjQlXetp9AiEAixqpJ5L2qfGoXCAULxYgF10YQyiq%2FggMNgDuHYrwXNIq%2FAQImP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDLpiVAVMasuBJhqzACrQBHTPk76KHNwASsGiIdAlbF3%2BNHFhVqWe4%2BoMUvtA%2FWULCNLZosH6dCMOA8YOVtLPU38AVtT6bG%2B7mA6IwqkgCEsbvMJtjMb98y2aJUm5NybaC03BJdtnXWNY4aOvmuXtPy71Nay%2Bs6ekEJk1DFzoHOyiUpeDNWp5wkGATT4zSjw4i1hOXCJS1KRo0QQR9vW%2F%2BCJkEo9Swq1fbWcLk4D4A5etEtsh9%2FvU539zwVVIphL0adHTbMQOXVxAtKmOzxm%2FjHv8BgkVde0%2FXhlVWj3nJFSZpb%2FO5w0ipaZ9toQ4kXs%2FXgaPnyR7Id6bMWOm25rfki%2BOa54vDaHT3AYKKlHR0JStUuuQdD9Wv8JqG%2FjxQGkE13yuTW6D9ponjqvqCwDkmXThgmlA02fRZq9xtzB74wdLaNP4%2FqgHHSWsYMnh1yJSGzZuqFiWVtXgv3idmmr4lYjlcjsfZM4P75otbZ9Wh9AT3LLWomFdpq4Kle1W8pTkGz7Cr2Qpms8mGgSvYpwsIYOvvFk2BSjRZsX4ZC4x3kXPNueZk68U6p3w3M%2BIv4cDJkcdDOhmunsW8YIYi8HEtQ2jEN8grtLiRziyV96bRU9mwEdAWVC3UQ3oDYtu1xBwNSHK7IDsc5GHSzQyju5fKJHJhxY9Bdcf39r4B7%2BirWNpy5E6CWDe5rQ8Uh39StGIyQHs51TTGEcUmSXC1lxVKymIuboYqHo3kTl1Wbknumn3mhNNmMVxlTXSOahSJtWnGj%2FfhuuB6J9KnQds5FJFmzHVi0Gqp8ZjKcWVl371bZAwkJC90gY6mAH%2FF5XuNBe9LAV1o%2B4UQNqXYVmnbNywpIeU4MVU0BqgwhIIGiiT%2BVo9GEiD%2BxTchkfU468oIvjzelKh4NVbA5Wx60J9cmfAhJSucHz83MZcxaEcz8Z18vraOGVTRCuvpkAo9gEy%2B7cUdU0uoyn9f3QgRGy9PXRAi0zL1HVNwzVjkWR6pa8DbqhlUJ%2BQag07ZAf1gGnfpODXEw%3D%3D&amp;Expires=1783584227\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Organizations that still treat SharePoint as a low-risk collaboration tool may be underestimating how valuable it looks to extortion crews. <\/p>\n<p class=\"wp-block-paragraph\">When a single compromised identity can expose contracts, internal plans, legal records, and customer data, the cloud repository becomes both the target and the pressure point.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Indicators of compromise (IoCs):-<\/strong><a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/622ba426-8183-4dfb-8efb-da22925a6b6a\/Helix-Data-Extortion-Group-Uses-Vishing-and-Device-Code-Phishing-to-Steal-SharePoint-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEU5XCG5QV&amp;Signature=QFR8r47zdo6ejor972uG8tIIKro%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICcKRoQsuULvQr6XDQK8fp%2BnJm%2BPj9XySfiRjQlXetp9AiEAixqpJ5L2qfGoXCAULxYgF10YQyiq%2FggMNgDuHYrwXNIq%2FAQImP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDLpiVAVMasuBJhqzACrQBHTPk76KHNwASsGiIdAlbF3%2BNHFhVqWe4%2BoMUvtA%2FWULCNLZosH6dCMOA8YOVtLPU38AVtT6bG%2B7mA6IwqkgCEsbvMJtjMb98y2aJUm5NybaC03BJdtnXWNY4aOvmuXtPy71Nay%2Bs6ekEJk1DFzoHOyiUpeDNWp5wkGATT4zSjw4i1hOXCJS1KRo0QQR9vW%2F%2BCJkEo9Swq1fbWcLk4D4A5etEtsh9%2FvU539zwVVIphL0adHTbMQOXVxAtKmOzxm%2FjHv8BgkVde0%2FXhlVWj3nJFSZpb%2FO5w0ipaZ9toQ4kXs%2FXgaPnyR7Id6bMWOm25rfki%2BOa54vDaHT3AYKKlHR0JStUuuQdD9Wv8JqG%2FjxQGkE13yuTW6D9ponjqvqCwDkmXThgmlA02fRZq9xtzB74wdLaNP4%2FqgHHSWsYMnh1yJSGzZuqFiWVtXgv3idmmr4lYjlcjsfZM4P75otbZ9Wh9AT3LLWomFdpq4Kle1W8pTkGz7Cr2Qpms8mGgSvYpwsIYOvvFk2BSjRZsX4ZC4x3kXPNueZk68U6p3w3M%2BIv4cDJkcdDOhmunsW8YIYi8HEtQ2jEN8grtLiRziyV96bRU9mwEdAWVC3UQ3oDYtu1xBwNSHK7IDsc5GHSzQyju5fKJHJhxY9Bdcf39r4B7%2BirWNpy5E6CWDe5rQ8Uh39StGIyQHs51TTGEcUmSXC1lxVKymIuboYqHo3kTl1Wbknumn3mhNNmMVxlTXSOahSJtWnGj%2FfhuuB6J9KnQds5FJFmzHVi0Gqp8ZjKcWVl371bZAwkJC90gY6mAH%2FF5XuNBe9LAV1o%2B4UQNqXYVmnbNywpIeU4MVU0BqgwhIIGiiT%2BVo9GEiD%2BxTchkfU468oIvjzelKh4NVbA5Wx60J9cmfAhJSucHz83MZcxaEcz8Z18vraOGVTRCuvpkAo9gEy%2B7cUdU0uoyn9f3QgRGy9PXRAi0zL1HVNwzVjkWR6pa8DbqhlUJ%2BQag07ZAf1gGnfpODXEw%3D%3D&amp;Expires=1783584227\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>IP Address<\/td>\n<td>179.43.185.230\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/622ba426-8183-4dfb-8efb-da22925a6b6a\/Helix-Data-Extortion-Group-Uses-Vishing-and-Device-Code-Phishing-to-Steal-SharePoint-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEU5XCG5QV&amp;Signature=QFR8r47zdo6ejor972uG8tIIKro%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICcKRoQsuULvQr6XDQK8fp%2BnJm%2BPj9XySfiRjQlXetp9AiEAixqpJ5L2qfGoXCAULxYgF10YQyiq%2FggMNgDuHYrwXNIq%2FAQImP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDLpiVAVMasuBJhqzACrQBHTPk76KHNwASsGiIdAlbF3%2BNHFhVqWe4%2BoMUvtA%2FWULCNLZosH6dCMOA8YOVtLPU38AVtT6bG%2B7mA6IwqkgCEsbvMJtjMb98y2aJUm5NybaC03BJdtnXWNY4aOvmuXtPy71Nay%2Bs6ekEJk1DFzoHOyiUpeDNWp5wkGATT4zSjw4i1hOXCJS1KRo0QQR9vW%2F%2BCJkEo9Swq1fbWcLk4D4A5etEtsh9%2FvU539zwVVIphL0adHTbMQOXVxAtKmOzxm%2FjHv8BgkVde0%2FXhlVWj3nJFSZpb%2FO5w0ipaZ9toQ4kXs%2FXgaPnyR7Id6bMWOm25rfki%2BOa54vDaHT3AYKKlHR0JStUuuQdD9Wv8JqG%2FjxQGkE13yuTW6D9ponjqvqCwDkmXThgmlA02fRZq9xtzB74wdLaNP4%2FqgHHSWsYMnh1yJSGzZuqFiWVtXgv3idmmr4lYjlcjsfZM4P75otbZ9Wh9AT3LLWomFdpq4Kle1W8pTkGz7Cr2Qpms8mGgSvYpwsIYOvvFk2BSjRZsX4ZC4x3kXPNueZk68U6p3w3M%2BIv4cDJkcdDOhmunsW8YIYi8HEtQ2jEN8grtLiRziyV96bRU9mwEdAWVC3UQ3oDYtu1xBwNSHK7IDsc5GHSzQyju5fKJHJhxY9Bdcf39r4B7%2BirWNpy5E6CWDe5rQ8Uh39StGIyQHs51TTGEcUmSXC1lxVKymIuboYqHo3kTl1Wbknumn3mhNNmMVxlTXSOahSJtWnGj%2FfhuuB6J9KnQds5FJFmzHVi0Gqp8ZjKcWVl371bZAwkJC90gY6mAH%2FF5XuNBe9LAV1o%2B4UQNqXYVmnbNywpIeU4MVU0BqgwhIIGiiT%2BVo9GEiD%2BxTchkfU468oIvjzelKh4NVbA5Wx60J9cmfAhJSucHz83MZcxaEcz8Z18vraOGVTRCuvpkAo9gEy%2B7cUdU0uoyn9f3QgRGy9PXRAi0zL1HVNwzVjkWR6pa8DbqhlUJ%2BQag07ZAf1gGnfpODXEw%3D%3D&amp;Expires=1783584227\"><\/a>\n<\/td>\n<td>Exfiltration IP\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/622ba426-8183-4dfb-8efb-da22925a6b6a\/Helix-Data-Extortion-Group-Uses-Vishing-and-Device-Code-Phishing-to-Steal-SharePoint-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEU5XCG5QV&amp;Signature=QFR8r47zdo6ejor972uG8tIIKro%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICcKRoQsuULvQr6XDQK8fp%2BnJm%2BPj9XySfiRjQlXetp9AiEAixqpJ5L2qfGoXCAULxYgF10YQyiq%2FggMNgDuHYrwXNIq%2FAQImP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDLpiVAVMasuBJhqzACrQBHTPk76KHNwASsGiIdAlbF3%2BNHFhVqWe4%2BoMUvtA%2FWULCNLZosH6dCMOA8YOVtLPU38AVtT6bG%2B7mA6IwqkgCEsbvMJtjMb98y2aJUm5NybaC03BJdtnXWNY4aOvmuXtPy71Nay%2Bs6ekEJk1DFzoHOyiUpeDNWp5wkGATT4zSjw4i1hOXCJS1KRo0QQR9vW%2F%2BCJkEo9Swq1fbWcLk4D4A5etEtsh9%2FvU539zwVVIphL0adHTbMQOXVxAtKmOzxm%2FjHv8BgkVde0%2FXhlVWj3nJFSZpb%2FO5w0ipaZ9toQ4kXs%2FXgaPnyR7Id6bMWOm25rfki%2BOa54vDaHT3AYKKlHR0JStUuuQdD9Wv8JqG%2FjxQGkE13yuTW6D9ponjqvqCwDkmXThgmlA02fRZq9xtzB74wdLaNP4%2FqgHHSWsYMnh1yJSGzZuqFiWVtXgv3idmmr4lYjlcjsfZM4P75otbZ9Wh9AT3LLWomFdpq4Kle1W8pTkGz7Cr2Qpms8mGgSvYpwsIYOvvFk2BSjRZsX4ZC4x3kXPNueZk68U6p3w3M%2BIv4cDJkcdDOhmunsW8YIYi8HEtQ2jEN8grtLiRziyV96bRU9mwEdAWVC3UQ3oDYtu1xBwNSHK7IDsc5GHSzQyju5fKJHJhxY9Bdcf39r4B7%2BirWNpy5E6CWDe5rQ8Uh39StGIyQHs51TTGEcUmSXC1lxVKymIuboYqHo3kTl1Wbknumn3mhNNmMVxlTXSOahSJtWnGj%2FfhuuB6J9KnQds5FJFmzHVi0Gqp8ZjKcWVl371bZAwkJC90gY6mAH%2FF5XuNBe9LAV1o%2B4UQNqXYVmnbNywpIeU4MVU0BqgwhIIGiiT%2BVo9GEiD%2BxTchkfU468oIvjzelKh4NVbA5Wx60J9cmfAhJSucHz83MZcxaEcz8Z18vraOGVTRCuvpkAo9gEy%2B7cUdU0uoyn9f3QgRGy9PXRAi0zL1HVNwzVjkWR6pa8DbqhlUJ%2BQag07ZAf1gGnfpODXEw%3D%3D&amp;Expires=1783584227\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>IP Address<\/td>\n<td>179.43.185.226\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/622ba426-8183-4dfb-8efb-da22925a6b6a\/Helix-Data-Extortion-Group-Uses-Vishing-and-Device-Code-Phishing-to-Steal-SharePoint-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEU5XCG5QV&amp;Signature=QFR8r47zdo6ejor972uG8tIIKro%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICcKRoQsuULvQr6XDQK8fp%2BnJm%2BPj9XySfiRjQlXetp9AiEAixqpJ5L2qfGoXCAULxYgF10YQyiq%2FggMNgDuHYrwXNIq%2FAQImP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDLpiVAVMasuBJhqzACrQBHTPk76KHNwASsGiIdAlbF3%2BNHFhVqWe4%2BoMUvtA%2FWULCNLZosH6dCMOA8YOVtLPU38AVtT6bG%2B7mA6IwqkgCEsbvMJtjMb98y2aJUm5NybaC03BJdtnXWNY4aOvmuXtPy71Nay%2Bs6ekEJk1DFzoHOyiUpeDNWp5wkGATT4zSjw4i1hOXCJS1KRo0QQR9vW%2F%2BCJkEo9Swq1fbWcLk4D4A5etEtsh9%2FvU539zwVVIphL0adHTbMQOXVxAtKmOzxm%2FjHv8BgkVde0%2FXhlVWj3nJFSZpb%2FO5w0ipaZ9toQ4kXs%2FXgaPnyR7Id6bMWOm25rfki%2BOa54vDaHT3AYKKlHR0JStUuuQdD9Wv8JqG%2FjxQGkE13yuTW6D9ponjqvqCwDkmXThgmlA02fRZq9xtzB74wdLaNP4%2FqgHHSWsYMnh1yJSGzZuqFiWVtXgv3idmmr4lYjlcjsfZM4P75otbZ9Wh9AT3LLWomFdpq4Kle1W8pTkGz7Cr2Qpms8mGgSvYpwsIYOvvFk2BSjRZsX4ZC4x3kXPNueZk68U6p3w3M%2BIv4cDJkcdDOhmunsW8YIYi8HEtQ2jEN8grtLiRziyV96bRU9mwEdAWVC3UQ3oDYtu1xBwNSHK7IDsc5GHSzQyju5fKJHJhxY9Bdcf39r4B7%2BirWNpy5E6CWDe5rQ8Uh39StGIyQHs51TTGEcUmSXC1lxVKymIuboYqHo3kTl1Wbknumn3mhNNmMVxlTXSOahSJtWnGj%2FfhuuB6J9KnQds5FJFmzHVi0Gqp8ZjKcWVl371bZAwkJC90gY6mAH%2FF5XuNBe9LAV1o%2B4UQNqXYVmnbNywpIeU4MVU0BqgwhIIGiiT%2BVo9GEiD%2BxTchkfU468oIvjzelKh4NVbA5Wx60J9cmfAhJSucHz83MZcxaEcz8Z18vraOGVTRCuvpkAo9gEy%2B7cUdU0uoyn9f3QgRGy9PXRAi0zL1HVNwzVjkWR6pa8DbqhlUJ%2BQag07ZAf1gGnfpODXEw%3D%3D&amp;Expires=1783584227\"><\/a>\n<\/td>\n<td>IP previously associated with BlackFile\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/622ba426-8183-4dfb-8efb-da22925a6b6a\/Helix-Data-Extortion-Group-Uses-Vishing-and-Device-Code-Phishing-to-Steal-SharePoint-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEU5XCG5QV&amp;Signature=QFR8r47zdo6ejor972uG8tIIKro%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICcKRoQsuULvQr6XDQK8fp%2BnJm%2BPj9XySfiRjQlXetp9AiEAixqpJ5L2qfGoXCAULxYgF10YQyiq%2FggMNgDuHYrwXNIq%2FAQImP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDLpiVAVMasuBJhqzACrQBHTPk76KHNwASsGiIdAlbF3%2BNHFhVqWe4%2BoMUvtA%2FWULCNLZosH6dCMOA8YOVtLPU38AVtT6bG%2B7mA6IwqkgCEsbvMJtjMb98y2aJUm5NybaC03BJdtnXWNY4aOvmuXtPy71Nay%2Bs6ekEJk1DFzoHOyiUpeDNWp5wkGATT4zSjw4i1hOXCJS1KRo0QQR9vW%2F%2BCJkEo9Swq1fbWcLk4D4A5etEtsh9%2FvU539zwVVIphL0adHTbMQOXVxAtKmOzxm%2FjHv8BgkVde0%2FXhlVWj3nJFSZpb%2FO5w0ipaZ9toQ4kXs%2FXgaPnyR7Id6bMWOm25rfki%2BOa54vDaHT3AYKKlHR0JStUuuQdD9Wv8JqG%2FjxQGkE13yuTW6D9ponjqvqCwDkmXThgmlA02fRZq9xtzB74wdLaNP4%2FqgHHSWsYMnh1yJSGzZuqFiWVtXgv3idmmr4lYjlcjsfZM4P75otbZ9Wh9AT3LLWomFdpq4Kle1W8pTkGz7Cr2Qpms8mGgSvYpwsIYOvvFk2BSjRZsX4ZC4x3kXPNueZk68U6p3w3M%2BIv4cDJkcdDOhmunsW8YIYi8HEtQ2jEN8grtLiRziyV96bRU9mwEdAWVC3UQ3oDYtu1xBwNSHK7IDsc5GHSzQyju5fKJHJhxY9Bdcf39r4B7%2BirWNpy5E6CWDe5rQ8Uh39StGIyQHs51TTGEcUmSXC1lxVKymIuboYqHo3kTl1Wbknumn3mhNNmMVxlTXSOahSJtWnGj%2FfhuuB6J9KnQds5FJFmzHVi0Gqp8ZjKcWVl371bZAwkJC90gY6mAH%2FF5XuNBe9LAV1o%2B4UQNqXYVmnbNywpIeU4MVU0BqgwhIIGiiT%2BVo9GEiD%2BxTchkfU468oIvjzelKh4NVbA5Wx60J9cmfAhJSucHz83MZcxaEcz8Z18vraOGVTRCuvpkAo9gEy%2B7cUdU0uoyn9f3QgRGy9PXRAi0zL1HVNwzVjkWR6pa8DbqhlUJ%2BQag07ZAf1gGnfpODXEw%3D%3D&amp;Expires=1783584227\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>oskeysync.com\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/622ba426-8183-4dfb-8efb-da22925a6b6a\/Helix-Data-Extortion-Group-Uses-Vishing-and-Device-Code-Phishing-to-Steal-SharePoint-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEU5XCG5QV&amp;Signature=QFR8r47zdo6ejor972uG8tIIKro%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICcKRoQsuULvQr6XDQK8fp%2BnJm%2BPj9XySfiRjQlXetp9AiEAixqpJ5L2qfGoXCAULxYgF10YQyiq%2FggMNgDuHYrwXNIq%2FAQImP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDLpiVAVMasuBJhqzACrQBHTPk76KHNwASsGiIdAlbF3%2BNHFhVqWe4%2BoMUvtA%2FWULCNLZosH6dCMOA8YOVtLPU38AVtT6bG%2B7mA6IwqkgCEsbvMJtjMb98y2aJUm5NybaC03BJdtnXWNY4aOvmuXtPy71Nay%2Bs6ekEJk1DFzoHOyiUpeDNWp5wkGATT4zSjw4i1hOXCJS1KRo0QQR9vW%2F%2BCJkEo9Swq1fbWcLk4D4A5etEtsh9%2FvU539zwVVIphL0adHTbMQOXVxAtKmOzxm%2FjHv8BgkVde0%2FXhlVWj3nJFSZpb%2FO5w0ipaZ9toQ4kXs%2FXgaPnyR7Id6bMWOm25rfki%2BOa54vDaHT3AYKKlHR0JStUuuQdD9Wv8JqG%2FjxQGkE13yuTW6D9ponjqvqCwDkmXThgmlA02fRZq9xtzB74wdLaNP4%2FqgHHSWsYMnh1yJSGzZuqFiWVtXgv3idmmr4lYjlcjsfZM4P75otbZ9Wh9AT3LLWomFdpq4Kle1W8pTkGz7Cr2Qpms8mGgSvYpwsIYOvvFk2BSjRZsX4ZC4x3kXPNueZk68U6p3w3M%2BIv4cDJkcdDOhmunsW8YIYi8HEtQ2jEN8grtLiRziyV96bRU9mwEdAWVC3UQ3oDYtu1xBwNSHK7IDsc5GHSzQyju5fKJHJhxY9Bdcf39r4B7%2BirWNpy5E6CWDe5rQ8Uh39StGIyQHs51TTGEcUmSXC1lxVKymIuboYqHo3kTl1Wbknumn3mhNNmMVxlTXSOahSJtWnGj%2FfhuuB6J9KnQds5FJFmzHVi0Gqp8ZjKcWVl371bZAwkJC90gY6mAH%2FF5XuNBe9LAV1o%2B4UQNqXYVmnbNywpIeU4MVU0BqgwhIIGiiT%2BVo9GEiD%2BxTchkfU468oIvjzelKh4NVbA5Wx60J9cmfAhJSucHz83MZcxaEcz8Z18vraOGVTRCuvpkAo9gEy%2B7cUdU0uoyn9f3QgRGy9PXRAi0zL1HVNwzVjkWR6pa8DbqhlUJ%2BQag07ZAf1gGnfpODXEw%3D%3D&amp;Expires=1783584227\"><\/a>\n<\/td>\n<td>Phishing domain\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/622ba426-8183-4dfb-8efb-da22925a6b6a\/Helix-Data-Extortion-Group-Uses-Vishing-and-Device-Code-Phishing-to-Steal-SharePoint-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEU5XCG5QV&amp;Signature=QFR8r47zdo6ejor972uG8tIIKro%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICcKRoQsuULvQr6XDQK8fp%2BnJm%2BPj9XySfiRjQlXetp9AiEAixqpJ5L2qfGoXCAULxYgF10YQyiq%2FggMNgDuHYrwXNIq%2FAQImP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDLpiVAVMasuBJhqzACrQBHTPk76KHNwASsGiIdAlbF3%2BNHFhVqWe4%2BoMUvtA%2FWULCNLZosH6dCMOA8YOVtLPU38AVtT6bG%2B7mA6IwqkgCEsbvMJtjMb98y2aJUm5NybaC03BJdtnXWNY4aOvmuXtPy71Nay%2Bs6ekEJk1DFzoHOyiUpeDNWp5wkGATT4zSjw4i1hOXCJS1KRo0QQR9vW%2F%2BCJkEo9Swq1fbWcLk4D4A5etEtsh9%2FvU539zwVVIphL0adHTbMQOXVxAtKmOzxm%2FjHv8BgkVde0%2FXhlVWj3nJFSZpb%2FO5w0ipaZ9toQ4kXs%2FXgaPnyR7Id6bMWOm25rfki%2BOa54vDaHT3AYKKlHR0JStUuuQdD9Wv8JqG%2FjxQGkE13yuTW6D9ponjqvqCwDkmXThgmlA02fRZq9xtzB74wdLaNP4%2FqgHHSWsYMnh1yJSGzZuqFiWVtXgv3idmmr4lYjlcjsfZM4P75otbZ9Wh9AT3LLWomFdpq4Kle1W8pTkGz7Cr2Qpms8mGgSvYpwsIYOvvFk2BSjRZsX4ZC4x3kXPNueZk68U6p3w3M%2BIv4cDJkcdDOhmunsW8YIYi8HEtQ2jEN8grtLiRziyV96bRU9mwEdAWVC3UQ3oDYtu1xBwNSHK7IDsc5GHSzQyju5fKJHJhxY9Bdcf39r4B7%2BirWNpy5E6CWDe5rQ8Uh39StGIyQHs51TTGEcUmSXC1lxVKymIuboYqHo3kTl1Wbknumn3mhNNmMVxlTXSOahSJtWnGj%2FfhuuB6J9KnQds5FJFmzHVi0Gqp8ZjKcWVl371bZAwkJC90gY6mAH%2FF5XuNBe9LAV1o%2B4UQNqXYVmnbNywpIeU4MVU0BqgwhIIGiiT%2BVo9GEiD%2BxTchkfU468oIvjzelKh4NVbA5Wx60J9cmfAhJSucHz83MZcxaEcz8Z18vraOGVTRCuvpkAo9gEy%2B7cUdU0uoyn9f3QgRGy9PXRAi0zL1HVNwzVjkWR6pa8DbqhlUJ%2BQag07ZAf1gGnfpODXEw%3D%3D&amp;Expires=1783584227\"><\/a>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Note:<\/strong>\u00a0<em>IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em><code><em>[.]<\/em><\/code><em>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong><strong><strong><strong>Prevent critical incidents and financial loss with stronger proactive defense.\u00a0<\/strong><a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=feeds+landing&amp;utm_content=ti+feeds+sales&amp;utm_term=070726#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Integrate a live threat feed from 15K SOC Teams<\/a><\/strong>.<\/strong><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/helix-data-extortion-group-uses-vishing-and-device-code-phishing\/\">Helix Data Extortion Group Uses Vishing and Device Code Phishing to Steal SharePoint Data<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/helix-data-extortion-group-uses-vishing-and-device-code-phishing\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Helix Data Extortion Group Uses Vishing and Device Code Phishing to Steal SharePoint Data Helix has surfaced as a fast-moving data extortion group that targets Microsoft 365 users through phone scams and cloud-focused phishing instead of traditional malware drops. Attackers are after access first, then large volumes of corporate files, with SharePoint libraries becoming a [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[63,1],"tags":[130],"class_list":["post-14176","post","type-post","status-publish","format-standard","hentry","category-cyber-security-news","category-uncategorized","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14176"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14176"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14176\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14176"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14176"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14176"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}