Skip to content
credential-theftZero TrustSupply Chain

Helix extortion group: how a phone call becomes a SharePoint exfiltration in under an hour

4 min read
Share

Helix extortion group: how a phone call becomes a SharePoint exfiltration in under an hour

A new data extortion group called Helix has emerged with a kill chain that requires no malware. The only tools it needs are a phone, a spoofed caller ID, and access to Microsoft's legitimate device-code authentication flow. ReliaQuest has published primary research on the group's tactics, and the picture is worth understanding carefully.

The kill chain, step by step

It starts with a phone call. The attacker dials a target employee and impersonates their manager, sometimes using caller ID spoofing to make the number appear legitimate. The goal of the call is to get the employee to complete a device-code authentication flow. Device-code auth is a legitimate Microsoft feature designed for devices without keyboards, such as smart TVs and printers, that authenticate by displaying a short code for a user to enter on another device.

The attacker sends the target a device-code link and talks them through entering the code. When the target completes the flow, the attacker receives a persistent OAuth2 access token for that employee's Microsoft 365 account. No password is stolen. No suspicious link to click. The authentication flow is entirely legitimate from Microsoft's perspective.

Persistence and exfiltration

Once inside, Helix moves immediately. The first step is persistence: the attacker registers a new MFA authenticator app to the compromised account, ensuring continued access even if the victim later resets their password.

The second step is reconnaissance and bulk exfiltration. Helix operators browse and enumerate SharePoint sites, identify high-value document libraries, and download in bulk. In some incidents documented by ReliaQuest, the entire sequence from initial access to bulk exfiltration completed in under an hour.

Infrastructure and attribution

ReliaQuest identifies infrastructure overlap between Helix and BlackFile (UNC6671), a data extortion group that fragmented into multiple successor operations after shutting down in April 2026. Successor groups include Pink and Redact. Helix shares NICENIC registrar infrastructure and near-identical social engineering playbooks with ShinyHunters, one of the most active data extortion groups currently operating. Helix does not appear to deploy ransomware. The business model is pure extortion: steal data, threaten to publish it, collect payment to suppress it.

What to do

Three controls have the highest impact. First, disable device-code authentication via Microsoft Entra Conditional Access if your organization does not require it. Most enterprise environments do not need device-code auth enabled for all users. Restricting it to specific device types or blocking it entirely removes the attack vector Helix depends on.

Second, restrict MFA device registration. If any user can register a new MFA authenticator without approval, Helix's persistence step works reliably. Require admin approval or a privileged identity management workflow for MFA enrollment changes. Treat MFA enrollment as a privileged operation.

Third, train employees to treat any incoming call requesting authentication action as high-risk, regardless of caller ID. Verify manager identity through a separate channel before completing any authentication flow prompted by a phone call. The cost of verification is a 30-second callback. The cost of skipping it can be a SharePoint exfiltration.

The broader signal

Helix is the latest example of identity-first attack groups that have moved away from malware entirely. The same trend is visible in Scattered Spider and in predecessor groups like BlackFile. The reasons are practical: malware requires deployment and risks detection by EDR. Social engineering requires only convincing conversation. As EDR coverage improves, the economics shift toward identity attacks. Conditional Access policies and MFA enrollment controls are now as security-critical as endpoint protection.

Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if your Microsoft 365 environment needs a Conditional Access or MFA enrollment policy review.