Helix: the new extortion crew phoning staff to raid SharePoint files
Researchers at ReliaQuest say the group impersonates managers on the phone, tricks staff into a login trap, then hoovers up company documents from Microsoft SharePoint.

Key points
- A new data-extortion crew tracked as Helix is calling employees while pretending to be their manager, then stealing files from Microsoft SharePoint, according to ReliaQuest.
- Helix operators register their own authenticator app on the victim's account to keep access, then bulk-download SharePoint content from a single IP address (179.43.185.230).
- ReliaQuest assesses with medium confidence that Helix overlaps with the ShinyHunters and now-defunct BlackFile extortion clusters, based on shared tactics and hosting infrastructure (AS 51852).
- Confirmed ShinyHunters victims disclosed in the past month include Medtronic, Nissan, NAIC, Kodak, Infinite Campus and Nottingham University.
- The single strongest defence, per ReliaQuest, is disabling device-code authentication where possible.
A fresh data-extortion crew has surfaced, and its opening move is a phone call.
Analysts at ReliaQuest are tracking the group as Helix. The name follows that vendor's naming convention. Its playbook is not clever code. It is a convincing voice on the line.
How does the attack actually start?
With a phone call to an employee, often from someone claiming to be their own manager. The caller uses the real manager's name, and in some cases spoofs the caller ID so the number looks right too.
This is called vishing, short for voice phishing, where criminals ring staff and talk them into doing something risky. In Helix's case, the goal is to walk the employee through what analysts call device-code phishing. That is a login trick that abuses a legitimate Microsoft sign-in flow: the attacker generates a code on their own machine, then convinces the employee to type that code into a real Microsoft login page. The employee thinks they are helping IT. In reality, they have just signed the attacker into their account.
Once inside, Helix moves fast. The operators enroll their own multi-factor authenticator app, the second step that normally blocks intruders, so they can get back in later even if the password changes. Then they go hunting through SharePoint, Microsoft's cloud file-sharing service that most large companies use for internal documents.
What do they take, and what happens next?
Files. Lots of them. ReliaQuest says the enumeration is machine-like and identical across incidents, which is why they treat it as Helix's clearest fingerprint. In their write-up, the researchers note the automated scraping ran from the IP address 179.43.185.230 using the python-requests/2.28.1 user-agent, with wildcard SharePoint searches to list every reachable document before bulk-downloading it.
The stolen data is then used to squeeze the victim: pay up, or we publish. Some batches get sold to other criminals instead.
Is Helix really a new group?
Maybe not entirely. ReliaQuest links Helix, with medium confidence, to two earlier extortion clusters: ShinyHunters and BlackFile. The evidence is circumstantial but consistent.
One Helix exfiltration IP sat in the same autonomous system, AS 51852, that previously hosted a confirmed BlackFile address. BlackFile shut down in April. Helix appeared soon after. The researchers also flag Pink and Redact as possible offshoots.
The ShinyHunters overlap is behavioural. Same social-engineering script, same fondness for Microsoft 365 and SharePoint, same use of the NICENIC domain registrar seen in earlier ShinyHunters campaigns. Recent ShinyHunters victims, as first reported by BleepingComputer, include Medtronic, Nissan, NAIC, Kodak, Infinite Campus and Nottingham University.
Capability and intent are worth separating here. Helix is not showcasing novel malware. What it has is a slick identity-abuse routine that works against companies with strong perimeters but tired employees.
What should organisations do about it?
ReliaQuest's headline recommendation is blunt: turn off device-code authentication if your business does not need it. That single change removes the trick at the heart of the intrusion.
Beyond that, restrict SharePoint access to company-managed devices, and block traffic to newly registered domains, which Helix leans on heavily. And warn staff, in plain terms, that a caller claiming to be their boss and asking them to type a code into a Microsoft page is the attack.



