Listen to this Post
Introduction: A New Generation of Cybercriminals Is Targeting People, Not Just Technology
Cybersecurity threats continue to evolve at an alarming pace, but one trend has become increasingly clear: modern attackers are no longer relying solely on software vulnerabilities. Instead, they are focusing on the weakest link in every organization—the human factor. A newly discovered data-extortion group known as Helix has demonstrated just how dangerous identity-based attacks have become by combining social engineering, voice phishing, and Microsoft 365 abuse to infiltrate organizations.
Unlike traditional ransomware gangs that encrypt systems and demand payment, Helix is primarily interested in stealing valuable corporate data. Once sensitive information is extracted from Microsoft SharePoint environments, the attackers pressure victims into paying ransoms by threatening to publicly leak confidential files. This strategy allows the group to generate profits while avoiding many of the complexities associated with deploying ransomware.
The emergence of Helix also raises another concern for cybersecurity professionals: the possibility that experienced cybercriminals from previously dismantled extortion groups have simply rebranded under a new name. If true, organizations may once again be facing seasoned attackers with refined tactics and years of operational experience.
Attack Overview: Helix Begins with a Simple Phone Call
The Helix attack chain often starts with something that appears completely harmless—a phone call.
Instead of immediately launching malware or exploiting technical vulnerabilities, Helix operators contact employees through voice phishing (vishing). During these calls, the attacker impersonates the victim’s manager, often using the manager’s real name or spoofing the caller ID to make the conversation appear legitimate.
This psychological manipulation is designed to create urgency and trust. Employees believe they are speaking with someone from inside the organization, making them far more likely to follow instructions without questioning the request.
Rather than stealing passwords directly, the attackers convince victims to complete a device code authentication process, unknowingly granting the criminals access to their Microsoft 365 accounts.
This technique bypasses many traditional security awareness habits because victims are not entering passwords into fake websites. Instead, they are voluntarily authorizing an attacker-controlled session.
Device Code Phishing: Turning Legitimate Authentication Against the Victim
Device code authentication exists to help users sign into devices with limited input capabilities, such as smart TVs or conference room systems.
Helix abuses this legitimate Microsoft authentication workflow.
Victims receive what appears to be a normal authentication request and are instructed to enter a device code into Microsoft’s legitimate login portal. Because the login page is genuine, many employees fail to recognize the attack.
Once authorization is completed, Helix immediately gains access without ever knowing the user’s password.
This represents one of the most dangerous characteristics of modern phishing campaigns: exploiting legitimate cloud services rather than fake infrastructure.
Persistence Through Multi-Factor Authentication Abuse
After successfully entering the
The operators register a brand-new multi-factor authentication application under the compromised account, giving themselves persistent access even if the victim later changes their password.
This abuse of MFA highlights an uncomfortable reality in cybersecurity.
Multi-factor authentication is highly effective against many attacks, but once an attacker successfully authenticates as the user, they can often manipulate MFA settings themselves unless additional protections are in place.
Persistence becomes the foundation for the next stage of the operation.
SharePoint Becomes the Primary Target
With persistent access established, Helix shifts its attention to Microsoft SharePoint.
Researchers observed a consistent pattern in every investigated incident.
The attackers automatically enumerate accessible SharePoint sites, identify valuable repositories, search across organizational content, and perform large-scale file downloads.
According to researchers from ReliaQuest, this SharePoint data collection process is the group’s strongest technical fingerprint.
Investigators observed automated enumeration originating from IP address 179.43.185.230 using the python-requests/2.28.1 user agent.
The operators repeatedly issued SharePoint search commands such as contentclass alongside wildcard searches to discover every accessible document before downloading large volumes of data.
This repeatable workflow makes Helix relatively identifiable despite its heavy reliance on social engineering.
Data Theft Instead of Encryption
Unlike classic ransomware groups, Helix generally avoids encrypting systems.
Instead, the attackers steal confidential information and later contact the victim organization with extortion demands.
Organizations are threatened with public exposure of proprietary documents, customer information, internal communications, financial records, or intellectual property unless payment is made.
If negotiations fail, the stolen information may be leaked publicly or sold to other cybercriminal groups operating on underground marketplaces.
This shift reflects a broader evolution within cybercrime where data itself has become the ransom.
Possible Connections to ShinyHunters and BlackFile
One of the most interesting aspects of ReliaQuest’s investigation involves Helix’s possible origins.
Although researchers could not establish a definitive attribution, multiple indicators strongly suggest that Helix may share infrastructure, tactics, or personnel with previously known extortion groups.
The first suspected connection involves ShinyHunters, a notorious data-theft operation responsible for numerous high-profile breaches.
Recent organizations publicly acknowledging incidents previously linked to ShinyHunters include Medtronic, Nissan, NAIC, Kodak, Infinite Campus, and Nottingham University.
Helix mirrors many of
Researchers also observed Helix using the NICENIC domain registrar, which has appeared in previous ShinyHunters operations.
Another potential connection involves BlackFile, a data extortion group that specialized in identity-based attacks before shutting down operations in April.
ReliaQuest discovered that one Helix exfiltration server belonged to Autonomous System AS51852, the same network previously associated with confirmed BlackFile infrastructure.
Combined with
Other emerging extortion operations, including Pink and Redact, are also being monitored as possible successors within the same cybercriminal ecosystem.
Defensive Strategies Against Helix
Security experts emphasize that identity protection must now receive the same attention traditionally given to endpoint security.
One of the strongest defensive recommendations is disabling device code authentication wherever business requirements allow.
Organizations should also limit SharePoint access exclusively to managed corporate devices, reducing opportunities for compromised accounts to access sensitive repositories from unauthorized systems.
Monitoring new MFA registrations should become a high-priority detection rule, as unexpected authenticator enrollment may indicate account compromise.
Blocking communications with newly registered domains can also reduce exposure because Helix frequently incorporates fresh infrastructure into its campaigns.
Regular employee awareness training focused on voice phishing, executive impersonation, and cloud authentication abuse remains one of the most valuable defensive investments.
Deep Analysis
Command 1: Follow Identity Instead of Malware
Helix demonstrates that attackers increasingly prioritize identity compromise over malware deployment. Organizations should monitor authentication behavior as aggressively as they monitor executable files.
Command 2: Treat Voice Calls as Security Events
Help desk staff and employees must verify unexpected phone requests through secondary communication channels instead of trusting caller ID alone.
Command 3: Monitor MFA Enrollment Continuously
Unexpected MFA registrations should trigger immediate investigation because persistence often begins immediately after account compromise.
Command 4: Protect SharePoint Like a Critical Asset
SharePoint now stores intellectual property, contracts, financial records, and internal communications. Continuous monitoring of mass downloads should be standard practice.
Command 5: Limit Cloud Trust Relationships
Conditional access policies, managed-device enforcement, and least-privilege permissions significantly reduce the impact of compromised accounts.
Command 6: Assume Data Theft Before Ransomware
Modern extortion groups increasingly prioritize stealing information over encrypting systems, making data monitoring just as important as malware detection.
What Undercode Say:
Helix is another reminder that cybersecurity has entered an identity-first era where human manipulation often outperforms sophisticated exploits.
The
Instead of defeating
That subtle difference makes these attacks significantly harder to detect.
Organizations often invest millions in endpoint security while overlooking identity monitoring.
Helix exploits that imbalance.
The abuse of legitimate Microsoft authentication workflows is particularly concerning because security products are designed to trust successful authentication.
This means defenders must increasingly analyze user behavior rather than simply looking for malicious software.
The suspected connections to ShinyHunters and BlackFile also illustrate an important reality about cybercrime.
Threat groups rarely disappear permanently.
Experienced operators frequently reorganize, adopt new branding, reuse infrastructure, and continue operations with refined techniques.
Whether Helix represents a complete rebranding or simply shares resources with older operations, defenders should expect mature tradecraft rather than inexperienced attackers.
SharePoint’s central role in these attacks is equally significant.
As organizations continue migrating sensitive information to cloud collaboration platforms, those services naturally become high-value targets.
Protecting cloud identities is now inseparable from protecting corporate data.
The most effective defense is no longer based solely on antivirus signatures or firewalls.
It combines identity security, conditional access, behavioral analytics, phishing-resistant authentication, continuous employee education, and proactive cloud monitoring.
Helix proves that one successful phone call can bypass millions of dollars in security investments if organizations fail to secure the human element.
Future security strategies must therefore assume that users can be manipulated and build layered controls that minimize the damage even after initial compromise.
Identity has effectively become the new network perimeter, and protecting it should now be every organization’s highest cybersecurity priority.
✅ Confirmed: ReliaQuest publicly documented Helix using voice phishing, device code phishing, MFA enrollment abuse, and automated SharePoint data exfiltration.
✅ Supported: Researchers identified technical similarities between Helix and both ShinyHunters and BlackFile, but they clearly stated that no definitive attribution has been established.
❌ Not Confirmed: There is currently no publicly available evidence proving that Helix is officially operated by former ShinyHunters or BlackFile members. Existing links remain based on infrastructure overlap, tactics, timing, and behavioral similarities rather than conclusive attribution.
Prediction
(+1) Identity-aware security platforms will increasingly detect abnormal authentication behavior, suspicious MFA registrations, and mass SharePoint downloads in real time, significantly reducing the effectiveness of attacks like Helix.
(-1) If organizations continue relying primarily on password protection and basic MFA without stronger identity governance, social engineering groups like Helix will likely expand their operations, targeting additional cloud collaboration platforms beyond Microsoft 365 while causing larger data extortion incidents worldwide.
▶️ Related Video (78% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




