Vishing and Device Code Phishing Approach
A new data extortion group known as Helix has been using sophisticated identity focused attacks to break into SharePoint environments. The group initiates contact through voice phishing, sometimes impersonating a victim’s manager by spoofing their name or caller ID. Once trust is established, the attackers trick targets into device code phishing schemes that grant them access to corporate accounts. After gaining entry, Helix operators quickly enroll a new multi factor authenticator app to maintain persistence.
SharePoint Exfiltration and Extortion
Helix’s primary goal is to enumerate and exfiltrate files from SharePoint, a behavior that serves as a key technical fingerprint for the group. Researchers observed automated enumeration from specific IP addresses using a Python requests user agent. The stolen data is then used to extort organizations by threatening to publish it unless a ransom is paid, or it is sold to other cybercriminals. Analysts recommend disabling device code authentication where possible and restricting SharePoint access to managed devices as defensive measures.
Possible Links to ShinyHunters and BlackFile
Security researchers from ReliaQuest suggest that Helix may have emerged from the ShinyHunters and BlackFile data extortion groups based on overlapping techniques and infrastructure. One attack used an exfiltration IP address within the same autonomous system that previously hosted a BlackFile IP address. Additionally, Helix employs a similar social engineering playbook to ShinyHunters, including vishing and targeting Microsoft 365. The use of a specific domain registrar also aligns with past ShinyHunters campaigns.
Source: BleepingComputer

