Helix Targets Microsoft 365 Accounts in SharePoint Data-Theft Attacks


Helix group sharepoint
Image credit: Microsoft

Helix is a newly identified data-extortion group targeting Microsoft 365 and SharePoint environments through identity compromise rather than software exploits.

The group uses voice phishing, device-code phishing, and MFA abuse to gain access to corporate Microsoft accounts. Once inside, attackers steal data from SharePoint and use it to pressure victims into paying a ransom or sell it to other cybercriminals.

Helix Uses Voice Phishing to Steal Microsoft 365 Access

Helix operators contact employees by phone and impersonate trusted people inside the company.

In some cases, attackers pose as the victim’s manager. They may use the manager’s name or spoof caller ID to make the call look legitimate.

The victim is then guided through a device-code phishing process. This allows the attacker to gain access to the employee’s Microsoft account without exploiting a software vulnerability.

Attackers Register New MFA Methods for Persistence

After gaining access, Helix quickly registers a new MFA authenticator app.

This gives the attacker a persistent authentication method under their control. From there, the group explores the compromised Microsoft 365 environment and searches for accessible SharePoint resources.

SharePoint Data Theft Is Helix’s Main Fingerprint

Helix’s strongest technical fingerprint is its automated SharePoint enumeration and download activity.

Researchers observed searches using contentclass and wildcard queries to inventory accessible content. The attackers then downloaded files in bulk from SharePoint.

The operations used the python-requests/2.28.1 user agent for both enumeration and exfiltration activity.

ReliaQuest believes Helix may have links to the now-defunct BlackFile or ShinyHunters group.

Both operations rely heavily on social engineering and identity-based attacks rather than traditional ransomware deployment.

Researchers said this could point to shared infrastructure or a continuation of previous activity, but they found no definitive proof of a direct connection.

How Organizations Can Defend Against Helix

Organizations can reduce exposure by disabling device-code authentication where it is not required.

They should also limit SharePoint access to managed and compliant devices, closely control the registration of new MFA methods, and scrutinize communications involving newly registered domains.

Security teams should train employees to independently verify unexpected calls from managers or IT staff, especially when the caller asks them to complete a login or authentication process.

Microsoft 365 monitoring should also focus on unusual device-code sign-ins, new MFA registrations, SharePoint searches, and bulk downloads.

The discovery of Helix comes as several phishing platforms have recently been exposed, including Forg365 and ARToken. Kaspersky has also warned about device-code phishing attacks, while Microsoft 365 users were recently targeted in another voice phishing campaign.

Via BleepingComputer

More about the topics: Microsoft 365, Phishing, Sharepoint

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

User forum

0 messages