Helix Group Exploits Vishing and Device Codes for Stealthy SharePoint Data Extortion
The Helix data extortion group is targeting Microsoft 365 users with a novel approach using vishing and device code phishing to bypass traditional defenses and exfiltrate sensitive data, primarily from SharePoint.

A fast-moving data extortion group known as Helix has emerged, employing a sophisticated strategy that bypasses traditional malware-based attacks in favor of identity abuse. Targeting Microsoft 365 users, Helix utilizes phone scams (vishing) and cloud-focused phishing techniques to gain initial access. Their primary objective is to acquire authenticated sessions, which they then leverage to steal large volumes of corporate files, with SharePoint libraries frequently identified as the main target.
The group's methodology is particularly noteworthy for its reliance on social engineering and identity manipulation rather than noisy ransomware deployment. Attackers trick victims into entering a device code, a process that grants the threat actor a valid, authenticated session. This tactic circumvents many of the standard security alerts and detection mechanisms that defenders typically associate with credential theft or account compromise, making it harder to detect.
Researchers at ReliaQuest have detailed Helix's repeatable playbook, observing consistent tactics, techniques, and procedures (TTPs) across multiple victim incidents. The group has been seen using shared infrastructure, carefully crafted lures, and specific subdomains registered under phishing domains. To further obfuscate their activities, Helix employs residential proxy infrastructure that is often matched to the victim's geographic location and rotates through numerous source IP addresses to make login attempts appear more legitimate.
Once an authenticated session is secured, Helix operators quickly move to establish persistence. A common step involves registering a new multi-factor authentication (MFA) authenticator on the compromised account, creating a durable foothold that is difficult to dislodge without rapid intervention. This speed and stealth allow Helix to exfiltrate sensitive cloud data before many organizations even realize an account has been compromised.
The primary target for data exfiltration is Microsoft SharePoint. After gaining access and establishing persistence, Helix operators engage in discovery and collection activities, systematically identifying and downloading high-value files. In some instances, the transition from initial access to bulk exfiltration has occurred in under an hour, while in others, attackers have spent days quietly browsing through emails and site pages before initiating large-scale downloads.
Helix's post-compromise behavior often involves manual browsing of SharePoint sites followed by automated enumeration and mass downloads from a dedicated, hosted IP address. This organized approach indicates a focus on maximizing data collection with minimal friction. The group's tactics highlight a maturing extortion model that leverages trust, precise timing, and the inherent value of cloud-based repositories like SharePoint.
To counter Helix's operations, ReliaQuest recommends several direct defensive measures. These include disabling device code authentication where possible, restricting sensitive SaaS application access to managed endpoints, and implementing robust defenses to block newly registered phishing domains before they can be effectively utilized. Standard incident response steps, such as password resets and session revocations, remain effective but require swift execution across both cloud and on-premises identity systems.
The emergence of Helix underscores a broader trend in cybercrime toward identity-driven intrusions and data extortion. By focusing on social engineering and exploiting authentication mechanisms, groups like Helix can achieve significant data theft with minimal reliance on traditional malware, posing a unique challenge to modern cybersecurity defenses. Organizations must recognize the value of data stored in cloud services like SharePoint and bolster their defenses against these increasingly sophisticated, identity-focused threats.