A cybercrime group calling itself Helix (cool name, I suppose) may be new, but the attack methods it uses certainly aren’t.
According to new research from ReliaQuest, Helix is running data extortion campaigns by combining voice phishing, Microsoft device code phishing, and automated SharePoint data theft. While the security company can’t definitively tie the group to BlackFile or ShinyHunters, it says the similarities are too strong to ignore.
The attacks don’t start with malware. They start with a phone call.
In one case, the attacker allegedly spoofed the victim’s manager on caller ID and convinced the employee to enter a Microsoft device code into Chrome. The victim never handed over a password, but it didn’t matter. The device code flow gave the attacker authenticated access anyway.
From there, the attacker reportedly wasted little time. ReliaQuest says Helix typically registers its own MFA authenticator on the compromised account to maintain access, quietly explores SharePoint content, and then switches to automated tools that search for and download large amounts of data. The company also observed the attackers using residential proxy services with IP addresses that matched the victim’s city, making the logins appear much more legitimate.
ReliaQuest believes Helix may be connected to the same criminal ecosystem that spawned BlackFile and ShinyHunters. One piece of evidence is infrastructure. An IP address used by Helix for data exfiltration sits just four addresses away from one previously tied to BlackFile on the same hosting provider. The phishing domain oskeysync[.]com was also registered through a registrar that has repeatedly shown up in campaigns linked to BlackFile, ShinyHunters, and Scattered Spider.
What stood out to me is how little malware is involved here. This is largely an identity attack. The attackers convince someone to grant access, register their own MFA method, and then use legitimate Microsoft services to steal data. That makes spotting the intrusion much harder than detecting a malicious executable.
ReliaQuest says organizations should disable Microsoft device code authentication if possible because it was the primary entry point in the attacks it investigated. If that isn’t an option, it recommends restricting access to managed devices, requiring compliant endpoints for Microsoft 365 services such as SharePoint, and blocking newly registered domains that are often used in phishing campaigns.
The names of these groups may keep changing, but the playbook isn’t. As long as attackers can manipulate people into approving access, they won’t need to rely on malware nearly as often.
Support independent tech journalism
NERDS.xyz is independently owned and operated. If you enjoy my coverage of Linux, AI, hardware, cybersecurity, and tech culture, consider supporting the site on Ko-fi.
Support NERDS.xyz