Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    New Helix vishing group emerges in SharePoint data theft attacks

    July 10, 2026

    Former ransomware negotiator gets 4 years for BlackCat attacks

    July 10, 2026

    5 Major Emerging Risks to Large-Scale Events

    July 9, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»News»New Helix vishing group emerges in SharePoint data theft attacks
    News

    New Helix vishing group emerges in SharePoint data theft attacks

    adminBy adminJuly 10, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    New Helix vishing group emerges in SharePoint data theft attacks

    A new data-extortion group called Helix is using identity-focused tactics such as voice phishing (vishing), device code phishing, and multi-factor authentication (MFA) abuse to steal data from SharePoint environments.

    Initial contact is made through vishing. In some cases, the threat actor called employees while impersonating their manager, using either the manager’s name or caller ID spoofing to appear legitimate.

    The purpose is to trick the target into device-code phishing schemes to gain access to their accounts.

    image

    Once inside, Helix operators quickly register a new multi-factor authenticator app for persistence, then browse and enumerate SharePoint before exfiltrating files.

    According to researchers at cybersecurity firm ReliaQuest, the stolen data is typically used to extort victim organizations by threatening to publish it unless a ransom is paid, or it is sold to other cybercriminals.

    The SharePoint exfiltration behavior is Helix’s strongest technical fingerprint.

    “Automated enumeration and collection were identical across incidents and represent the most reliable fingerprint. Enumeration ran from 179.43.185[.]230 using the python-requests/2.28.1 user-agent,” the researchers note.

    “The operator issued contentclass:STS_Site and wildcard (*) SharePoint searches to inventory all reachable content, then bulk-downloaded from the same IP and user-agent.”

    Links to ShinyHunters and BlackFile

    ReliaQuest believes that Helix emerged from the ShinyHunters and BlackFile data extortion groups based on the techniques and infrastructure used, although the researchers did not find a definitive connection.

    Over the past month, Medtronic, Nissan, NAIC, Kodak, Infinite Campus, and Nottingham University confirmed data breaches previously claimed by ShinyHunters.

    The now defunct BlackFile data extortion group targeted organizations using identity-based attacks and social engineering before ceasing operations in April.

    ReliaQuest’s research found that one Helix attack used an exfiltration IP address in the same autonomous system (AS 51852) that hosted a confirmed BlackFile IP address, suggesting shared resources.

    Additionally, Helix emerging shortly after BlackFile shut down may indicate a potential continuation of the extinct operation. ReliaQuest also mentions Pink and Redact as potential successors.

    Concerning the link to ShinyHunters, Helix demonstrates a very similar social engineering playbook, including vishing, employee impersonation, targeting Microsoft 365, and stealing SharePoint data.

    A second clue is the use of the NICENIC registrar, which has also been seen in past ShinyHunters campaigns.

    As a highest-impact defensive measure against Helix attacks, the researchers recommend that device code authentication be disabled where possible.

    Other recommendations include restricting SharePoint access to only managed devices and blocking exchanges with newly registered domains, which Helix typically uses in its attacks.


    article image

    Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

    The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

    Get the whitepaper



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleFormer ransomware negotiator gets 4 years for BlackCat attacks
    admin
    • Website

    Related Posts

    News

    Former ransomware negotiator gets 4 years for BlackCat attacks

    July 10, 2026
    News

    5 Major Emerging Risks to Large-Scale Events

    July 9, 2026
    News

    Injective SDK on npm infected with cryptocurrency wallet stealer

    July 9, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views
    Our Picks

    New Helix vishing group emerges in SharePoint data theft attacks

    July 10, 2026

    Former ransomware negotiator gets 4 years for BlackCat attacks

    July 10, 2026

    5 Major Emerging Risks to Large-Scale Events

    July 9, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.