New Helix vishing group emerges in SharePoint data theft attacks

New Helix vishing group emerges in SharePoint data theft attacks
Helix is a new data-extortion group that uses vishing, device code phishing, and MFA abuse to gain access to SharePoint environments and steal sensitive files. ReliaQuest links its tactics and infrastructure to ShinyHunters and BlackFile, and recommends disabling device code authentication, limiting SharePoint access to managed devices, and blocking newly registered domains. #Helix #SharePoint #ShinyHunters #BlackFile #ReliaQuest

Keypoints

  • Helix uses vishing to impersonate managers and lure employees into device-code phishing.
  • The group registers a new MFA authenticator app for persistence after gaining access.
  • Helix enumerates SharePoint content and bulk-downloads files for extortion.
  • ReliaQuest says the SharePoint exfiltration pattern is Helix’s strongest technical fingerprint.
  • The campaign shows possible links to ShinyHunters and BlackFile through tactics and infrastructure.

Read More: https://www.bleepingcomputer.com/news/security/new-helix-vishing-group-emerges-in-sharepoint-data-theft-attacks/