Advertisement
Cyber Crime

Vishing to Data Heist: Helix Group Elevates SharePoint Extortion Threat

A sophisticated new group named Helix leverages identity-based phishing and MFA abuse to infiltrate corporate SharePoint environments, exfiltrating sensitive data for extortion or sale.

·3 hours ago·3 min read
red padlock on black computer keyboard
Photo by FlyD on Unsplash
Advertisement

In an increasingly interconnected digital landscape, the human element remains a primary vector for sophisticated cyberattacks. A newly identified threat actor, dubbed Helix, is demonstrating this reality with a potent blend of social engineering and technical exploitation, specifically targeting corporate data stored within SharePoint environments. This group’s methods, which include voice phishing (vishing), device code phishing, and multi-factor authentication (MFA) abuse, represent an alarming evolution in data extortion tactics, placing significant pressure on organizations to fortify both their technical defenses and their human firewalls.

The landscape of cybercrime is continually reshaped by groups dedicated to illicit data acquisition and monetization. Data extortion, in particular, has seen a dramatic rise, with threat actors constantly innovating to breach perimeters and exfiltrate valuable information. The shift towards identity-focused attacks underscores a broader trend where attackers seek to compromise legitimate credentials rather than relying solely on traditional network vulnerabilities. The focus on cloud collaboration platforms like Microsoft 365 and SharePoint is a logical progression, given the vast troves of sensitive organizational data they often contain.

Helix initiates its campaigns with targeted vishing attacks, establishing initial contact by impersonating legitimate personnel. In a concerning twist, operators have been observed calling employees while falsely identifying as their managers, either by using the manager's actual name or employing caller ID spoofing to lend an air of authenticity. The ultimate objective of these deceptive calls is to manipulate targets into participating in device-code phishing schemes, thereby granting the attackers unauthorized access to their accounts. Once inside a compromised account, Helix operators act swiftly to establish persistence, often by registering a new multi-factor authenticator application. Following this, they systematically browse and enumerate the SharePoint environment before moving on to exfiltrate critical files. Researchers at cybersecurity firm ReliaQuest indicate that the stolen data is then typically leveraged for extortion, with victim organizations threatened with public disclosure unless a ransom is paid, or it is sold off to other cybercriminal entities.

The systematic exfiltration process within SharePoint forms the most distinctive technical signature of Helix’s operations. "Automated enumeration and collection were identical across incidents and represent the most reliable fingerprint. Enumeration ran from 179.43.185[.]230 using the python-requests/2.28.1 user-agent," the researchers note. They further detailed the precision of the group’s data harvesting: “The operator issued contentclass:STS_Site and wildcard (*) SharePoint searches to inventory all reachable content, then bulk-downloaded from the same IP and user-agent.”

ReliaQuest’s investigations suggest potential connections between Helix and the prominent data extortion groups ShinyHunters and BlackFile, based on observed techniques and infrastructure, though a definitive link remains unconfirmed. Over the past month, numerous high-profile organizations, including Medtronic, Nissan, NAIC, Kodak, Infinite Campus, and Nottingham University, have publicly acknowledged data breaches previously attributed to ShinyHunters. The now-defunct BlackFile group, which ceased operations in April, similarly focused on identity-based attacks and social engineering. ReliaQuest’s research uncovered that one Helix attack utilized an exfiltration IP address residing in autonomous system AS 51852, an AS that also hosted a confirmed BlackFile IP address, hinting at shared resources. Furthermore, Helix’s emergence shortly after BlackFile’s shutdown could signal a continuation of the prior operation, with Pink and Redact also mentioned as potential successors. The similarities between Helix and ShinyHunters extend to their social engineering playbooks, encompassing vishing, employee impersonation, targeting of Microsoft 365, and the theft of SharePoint data. Another indicator is the shared use of the NICENIC registrar in both Helix and previous ShinyHunters campaigns.

The rise of groups like Helix underscores a critical imperative for organizations: to adopt a proactive and multi-layered defense strategy. The convergence of sophisticated social engineering with technical exploits means that relying on perimeter defenses alone is insufficient. Businesses must recognize that their employees are both their greatest asset and, without adequate training and robust security protocols, their most significant vulnerability. Implementing the highest-impact defensive measures, such as disabling device code authentication where feasible, is paramount. Additionally, restricting SharePoint access to only managed devices and actively blocking communication with newly registered domains – a tactic frequently employed by Helix – can significantly reduce an organization's attack surface. Ultimately, defending against these evolving threats requires a holistic approach that integrates advanced technical controls with continuous security awareness training, fostering a culture where every employee is a vigilant first line of defense against highly persuasive and technically adept adversaries.

Reporting based on original coverage from BleepingComputer.

#vishing#sharepoint#data exfiltration#cybercrime#mfa abuse#social engineering
← Back to all stories
Advertisement