Helix: new data-extortion crew hits SharePoint via vishing
ReliaQuest attributes new data-extortion crew Helix to vishing and device-code phishing against SharePoint. Infrastructure overlaps BlackFile.
ReliaQuest attributes a new data-extortion crew, “Helix,” to a wave of SharePoint bulk-download intrusions, carried by BleepingComputer on 2026-07-09. Playbook is vishing into targets, device-code phishing to convert the call into a Microsoft 365 session, an attacker-controlled MFA authenticator registered for persistence, and automated SharePoint enumeration and download from an unmanaged host. No encryption stage observed.
What’s confirmed
- New group, active. Data-extortion, no ransomware payload documented. Attribution: ReliaQuest threat research team. Confidence: high.
- Vishing chain. Operators place phone calls into targets, impersonate employees — including managers — and spoof caller ID to survive callback verification. Confidence: high, per ReliaQuest.
- Device-code phishing. Helix uses Microsoft’s device-code authentication flow — the same OAuth path defenders have watched abused since 2024 — to turn a phone call into a signed-in Microsoft 365 session. Confidence: high.
- MFA persistence. After landing an account, operators register their own MFA authenticator so subsequent logins survive password resets. Confidence: high.
- SharePoint sweep. Observed queries:
contentclass:STS_Siteand wildcard*searches issued against the SharePoint search API, driven by a client sending thepython-requests/2.28.1user-agent string. Confidence: high. - Exfiltration. One confirmed exfil address:
179.43.185[.]230. Confidence: high, per ReliaQuest. - Infrastructure overlap with BlackFile. ReliaQuest: “one Helix attack used an exfiltration IP address in the same autonomous system (AS 51852) that hosted a confirmed BlackFile IP address, suggesting shared resources.” Confidence: high on the AS-level overlap.
- Domain sourcing. Attacker domains observed registered through NICENIC — the same registrar cited in past ShinyHunters campaigns. Confidence: high on the registrar, unconfirmed on whether the overlap is anything more than registrar convenience.
What’s uncertain — treat accordingly
- Attribution beyond the group name. ReliaQuest calls out playbook overlap with ShinyHunters and infrastructure overlap with BlackFile; neither is called out as identity. BlackFile went quiet in April 2026 and Helix surfaced shortly after — a suggestive timeline, not evidence. Confidence: unconfirmed on rebrand.
- Victim set. ReliaQuest names no Helix victims in the current writeup. The Medtronic, Nissan, NAIC, Kodak, Infinite Campus, and Nottingham University breaches referenced in the same piece are attributed to ShinyHunters and cited for TTP similarity, not as Helix victims. Do not chain them.
- Encryption capability. No encryption stage in any observed Helix intrusion. Pure data-theft extortion is what has been documented; whether an encryption module exists and is being held in reserve is not stated. Confidence: unconfirmed.
- Full IOC set. ReliaQuest’s public writeup surfaces one exfil IP and one user-agent string. Broader IOCs — additional IPs, domains, hashes — are not in the public summary; check the vendor blog for a full drop before hunting off this article alone.
What to do
- Disable device-code authentication where it is not explicitly needed. Microsoft 365’s device-code grant exists for input-constrained devices — TVs, IoT panels. If the fleet does not include those, an Entra conditional-access policy blocking the device-code flow removes the entire class of phishing Helix — and Storm-2372 before it — relies on. Highest-leverage single control for this playbook.
- Restrict SharePoint access to managed devices. Compliant-device conditional access on the SharePoint Online enterprise app cuts an unmanaged
python-requests/2.28.1client off before the search API answers. - Alert on MFA-method registrations. A new authenticator app added to an account that already has one is a low-noise, high-value signal. The
Add authentication methodaudit event in Entra ID is the underlying record; wire it into the SIEM if it is not there already. - Help-desk vishing playbook. Assume the phone number, caller ID, and pretext will all check out. The only reliable verification is a callback to a known-good internal number or an out-of-band identity check — not “does the caller know their manager’s name.”
Timeline
- ~April 2026 — BlackFile data-extortion operation goes quiet, per ReliaQuest.
- Post-April 2026 — Helix intrusions begin surfacing.
- 2026-07-09 — ReliaQuest publishes the group profile, TTPs, and infrastructure overlap with BlackFile; carried same day by BleepingComputer.
Filed news, group existence and playbook high-confidence per ReliaQuest, rebrand-from-BlackFile status unconfirmed, victim set undisclosed. Update on the next ReliaQuest post, on any leak site claim in Helix’s name, or on a confirmed encryption capability.
Found this useful? Share it.


