Back to Feed
Threat IntelligenceJul 9, 2026

New Helix vishing group emerges in SharePoint data theft attacks

New Helix group uses vishing and MFA abuse to steal SharePoint data for extortion.

Summary

A new data-extortion group named Helix is targeting organizations by using identity-focused tactics like vishing, device code phishing, and MFA abuse to gain access to SharePoint environments. After gaining access, they register new MFA apps for persistence, then exfiltrate files, which are then used for extortion or sold to other cybercriminals. Researchers believe Helix may have emerged from or shares infrastructure with previous groups like ShinyHunters and BlackFile.

Full text

New Helix vishing group emerges in SharePoint data theft attacks By Bill Toulas July 9, 2026 01:08 PM 0 A new data-extortion group called Helix is using identity-focused tactics such as voice phishing (vishing), device code phishing, and multi-factor authentication (MFA) abuse to steal data from SharePoint environments. Initial contact is made through vishing. In some cases, the threat actor called employees while impersonating their manager, using either the manager's name or caller ID spoofing to appear legitimate. The purpose is to trick the target into device-code phishing schemes to gain access to their accounts. Once inside, Helix operators quickly register a new multi-factor authenticator app for persistence, then browse and enumerate SharePoint before exfiltrating files. According to researchers at cybersecurity firm ReliaQuest, the stolen data is typically used to extort victim organizations by threatening to publish it unless a ransom is paid, or it is sold to other cybercriminals. The SharePoint exfiltration behavior is Helix’s strongest technical fingerprint. "Automated enumeration and collection were identical across incidents and represent the most reliable fingerprint. Enumeration ran from 179.43.185[.]230 using the python-requests/2.28.1 user-agent," the researchers note. “The operator issued contentclass:STS_Site and wildcard (*) SharePoint searches to inventory all reachable content, then bulk-downloaded from the same IP and user-agent.” Links to ShinyHunters and BlackFile ReliaQuest believes that Helix emerged from the ShinyHunters and BlackFile data extortion groups based on the techniques and infrastructure used, although the researchers did not find a definitive connection. Over the past month, Medtronic, Nissan, NAIC, Kodak, Infinite Campus, and Nottingham University confirmed data breaches previously claimed by ShinyHunters. The now defunct BlackFile data extortion group targeted organizations using identity-based attacks and social engineering before ceasing operations in April. ReliaQuest's research found that one Helix attack used an exfiltration IP address in the same autonomous system (AS 51852) that hosted a confirmed BlackFile IP address, suggesting shared resources. Additionally, Helix emerging shortly after BlackFile shut down may indicate a potential continuation of the extinct operation. ReliaQuest also mentions Pink and Redact as potential successors. Concerning the link to ShinyHunters, Helix demonstrates a very similar social engineering playbook, including vishing, employee impersonation, targeting Microsoft 365, and stealing SharePoint data. A second clue is the use of the NICENIC registrar, which has also been seen in past ShinyHunters campaigns. As a highest-impact defensive measure against Helix attacks, the researchers recommend that device code authentication be disabled where possible. Other recommendations include restricting SharePoint access to only managed devices and blocking exchanges with newly registered domains, which Helix typically uses in its attacks. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Entra passkey enrollment vishing targets Microsoft 365 usersFBI warns of in-person data theft attacks from extortion gangMount Royal University confirms breach as hackers claim attackFake IT support calls on Microsoft Teams push EtherRAT malwareNAIC says public data stolen in ShinyHunters' PeopleSoft breach

Indicators of Compromise

  • ip — 179.43.185.230

Entities

Helix (threat_actor)ShinyHunters (threat_actor)BlackFile (threat_actor)SharePoint (product)MFA (technology)vishing (technology)