← All stories
● Covered by 1 source Β· 1 reportHigh impact

New Helix vishing group targets SharePoint for data theft

Aggregated by BrevFeed security Β· updated 1h ago
πŸ”– Save

A new cybercriminal group named Helix is using vishing and MFA abuse to steal data from SharePoint environments. The group impersonates employees to trick victims into giving up sensitive information, leading to data extortion practices similar to those of previous groups like ShinyHunters and BlackFile.

Key points

Emergence of the Helix Group

Helix is a newly identified data-extortion group that has surfaced in the cybersecurity landscape. This group utilizes identity-focused tactics, including voice phishing (vishing) and multi-factor authentication (MFA) abuse, primarily targeting SharePoint environments to steal sensitive data. Researchers at ReliaQuest highlighted that the methods employed by Helix appear to be rooted in the operational playbook of prior groups such as ShinyHunters and BlackFile.

Mechanics of Attacks

The Helix group initiates its operations by contacting victims via vishing, impersonating individuals such as their managers to gain trust. This tactic often involves caller ID spoofing to enhance legitimacy. Once contact is established, they lure targets into device-code phishing schemes, allowing them to compromise user accounts effectively. Subsequently, Helix operators register a new multi-factor authenticator app to maintain persistent access.

Data Exfiltration Process

Once inside the compromised accounts, Helix systematically enumerates and browses the SharePoint environment. They utilize automated scripts to perform extensive search queries within SharePoint and bulk download sensitive files. The consistency of this enumeration technique across various incidents serves as a notable signature for their activities. ReliaQuest found that data exfiltration originated from specific IP addresses associated with past operations of the now-defunct BlackFile group.

Impact on Organizations

Organizations such as Medtronic, Nissan, Kodak, and Nottingham University have confirmed data breaches linked to the tactics employed by Helix. The stolen data is often used for extortion, where victims are threatened with exposure unless a ransom is paid. This operational model poses significant risks for organizations that utilize SharePoint and similar platforms. Helix’s emergence signifies a continued threat posed by identity-based attacks, which have become increasingly common in the field of cybercrime.

Connection to Previous Cybercriminal Groups

ReliaQuest suggests that Helix may represent a continuation or evolution of operations from BlackFile and ShinyHunters. Analysis indicates shared infrastructure and tactics between these groups. Helix's approach combines elements of social engineering with targeted attacks on Microsoft 365 environments, suggesting a sophisticated understanding of the weaknesses in corporate security frameworks. Further connections to previous data extortion groups like Pink and Redact may also emerge as investigations continue.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Reporting from

A new cybercriminal group named Helix is using vishing and MFA abuse to steal data from SharePoint environments. The group impersonates employees to trick victims into giving up sensitive information, leading to data extortion practices similar to those of previous groups like ShinyHunters and BlackFile.