Helix vishing group targets SharePoint data theft
🔒 A new extortion group dubbed Helix uses vishing, device-code phishing, and MFA abuse to access and exfiltrate files from SharePoint environments. Operators impersonate managers via phone calls and spoofed caller IDs to trick employees into granting access, then register authenticators for persistence and bulk-download content. ReliaQuest links Helix tactics and infrastructure to prior groups like ShinyHunters and BlackFile, and recommends disabling device-code authentication and restricting SharePoint to managed devices.
