The Helix data-extortion group is targeting Microsoft 365 environments with voice phishing, device code phishing, and MFA abuse to hijack authenticated cloud sessions and steal data from SharePoint. ReliaQuest reported that after gaining access, the attackers quickly establish persistence by registering a new authenticator app, then enumerate SharePoint content and exfiltrate files for extortion or resale. In some observed cases, Helix moved from initial access to bulk SharePoint theft in less than an hour, while other intrusions involved quieter reconnaissance across email and SharePoint before mass downloads.
Researchers said Helix uses target-specific phishing subdomains, newly registered domains, residential proxies mapped to a victim’s city, and rotating source IPs to make logins appear legitimate while leaving few malware artifacts. A notable indicator was automated SharePoint enumeration and bulk download activity from IP address 179.43.185.230 using the python-requests/2.28.1 user agent. ReliaQuest said the group may overlap with the ShinyHunters or BlackFile extortion ecosystems, though attribution remains unconfirmed, and recommended disabling device code authentication where possible, restricting SaaS and SharePoint access to managed devices, and blocking newly registered domains tied to the campaign.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
ReliaQuest assessed that Helix may have emerged from or overlaps with the ShinyHunters and BlackFile extortion ecosystems based on similarities in timing, infrastructure, and tradecraft. The researchers said they did not establish a definitive attribution link.
ReliaQuest reported a new data-extortion group called Helix conducting identity-focused attacks against Microsoft 365 tenants using vishing, device code phishing, and MFA abuse, with a focus on stealing data from SharePoint. The report also described Helix’s persistence via newly registered authenticator apps and its rapid cloud-based exfiltration workflow.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcecybersecuritynews.com
Open sourcebleepingcomputer.com
Open sourcereliaquest.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.