A data-extortion group tracked as Helix has been observed using a layered identity-based attack chain to compromise Microsoft 365 accounts and exfiltrate files from SharePoint, according to research published by ReliaQuest.
How the Attack Chain Works
Initial access begins with vishing. Helix operators call employees while impersonating their manager, using either the manager’s name or caller ID spoofing to add credibility. The goal of the call is to steer the target into a device code phishing scheme, which yields valid session tokens without requiring the victim’s password directly.
Once inside an account, the threat actors register a new MFA authenticator application to establish persistence. They then enumerate SharePoint content using automated tooling before bulk-downloading files.
ReliaQuest noted that the enumeration behavior was consistent across every incident they analyzed, making it Helix’s most reliable technical fingerprint. The group issued contentclass:STS_Site queries and wildcard searches to inventory reachable SharePoint content, then downloaded files from the same IP address (179.43.185[.]230) using the python-requests/2.28.1 user-agent string.
Stolen data is subsequently used to extort victim organizations, with threats to publish files unless a ransom is paid, or sold to other criminal actors.
Ties to ShinyHunters and BlackFile
ReliaQuest assesses with moderate confidence that Helix has connections to both the ShinyHunters and BlackFile extortion groups, though researchers stopped short of declaring a definitive link.
- One Helix attack used an exfiltration IP address within autonomous system AS 51852, the same AS that hosted a confirmed BlackFile IP. BlackFile ceased operations in April, and Helix emerged shortly afterward, suggesting a possible continuation of that operation.
- Helix shares significant operational overlap with ShinyHunters, including vishing, employee impersonation, Microsoft 365 targeting, and SharePoint data theft. Both groups have also used the NICENIC domain registrar.
Over the past month, several organizations including Medtronic, Nissan, Kodak, and Nottingham University confirmed breaches previously claimed by ShinyHunters. ReliaQuest also identifies Pink and Redact as potential successor groups worth monitoring.
Defensive Recommendations
ReliaQuest identifies disabling device code authentication as the highest-impact single control against Helix-style attacks. Additional mitigations include:
- Restricting SharePoint access to managed, compliant devices only
- Blocking communication with newly registered domains, which Helix routinely leverages
- Monitoring for unexpected MFA device registrations as a persistence indicator
Security teams investigating potential Helix activity should treat the specific IP address, user-agent string, and SharePoint query patterns as high-fidelity detection opportunities.
