ctipilot.ch

Helix

actor · actor:helix-extortion

Data-extortion cluster documented by ReliaQuest (2026-07-08), assessed as a likely continuation of the BlackFile (UNC6671) and ShinyHunters ecosystems on shared registrar and hosting-adjacent infrastructure. Uses manager-impersonation vishing to drive Entra ID device-code phishing that bypasses Conditional Access, registers a new MFA authenticator within minutes for persistence, then runs automated python-requests SharePoint enumeration and bulk exfiltration for extortion.

Coverage timeline
1
first 2026-07-10 → last 2026-07-10
Peak priority
high
1 high
Sources cited
2
2 hosts
Sections touched
1
active-threats
Co-occurring entities
2
see Related entities below
ATT&CK techniques
4
pinned v19.1 · see below

Hunting pivots

Affected products
Microsoft 365Microsoft Entra IDMicrosoft SharePoint

ATT&CK techniques

4 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1566.004Phishing: Spearphishing Voice×1

Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.

Evidence: 2026-07-10/helix-data-extortion-devicecode-vishing-sharepoint-exfil · ATT&CK page ↗

Persistence TA0003

T1098.005Account Manipulation: Device Registration×1

Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.

Evidence: 2026-07-10/helix-data-extortion-devicecode-vishing-sharepoint-exfil · ATT&CK page ↗

Privilege Escalation TA0004

T1098.005Account Manipulation: Device Registration×1

Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.

Evidence: 2026-07-10/helix-data-extortion-devicecode-vishing-sharepoint-exfil · ATT&CK page ↗

Credential Access TA0006

T1528Steal Application Access Token×1

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

Evidence: 2026-07-10/helix-data-extortion-devicecode-vishing-sharepoint-exfil · ATT&CK page ↗

Collection TA0009

T1213.002Data from Information Repositories: Sharepoint×1

Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:

Evidence: 2026-07-10/helix-data-extortion-devicecode-vishing-sharepoint-exfil · ATT&CK page ↗

Story timeline

  1. 2026-07-10'Helix' data-extortion cluster pairs manager-impersonation vishing with device-code phishing and automated SharePoint exfiltration
    active-threatsReliaQuest: new 'Helix' extortion cluster (BlackFile/ShinyHunters lineage) vishes staff into device-code sign-ins, then bulk-loots SharePoint

Where this entity is cited

  • active-threats1

Source distribution

  • bleepingcomputer.com1 (50%)
  • reliaquest.com1 (50%)

Related entities

Entries about Helix (1)

2026-07-10 · view entry permalink →

HIGHNATOB2

'Helix' data-extortion cluster pairs manager-impersonation vishing with device-code phishing and automated SharePoint exfiltration

ReliaQuest's Threat Research team published (2026-07-08) a spotlight on Helix, a data-extortion cluster it assesses as a likely continuation of the now-fragmented BlackFile (UNC6671) operation and the broader ShinyHunters ecosystem — an assessment resting on a shared credential-harvesting-domain registrar (also used by the Scattered Spider/"The Com" community) and an exfiltration host four addresses away, on the same autonomous system, from a confirmed BlackFile address two months earlier (ReliaQuest, 2026-07-08). ReliaQuest is explicit that this is likely-ecosystem-continuation, not confirmed attribution — but "organizations already tracking those groups should treat Helix as an extension of the same data extortion campaigns."

The device-code-phishing-defeats-Conditional-Access primitive itself was covered earlier today in the Huntress Railway/LSHIY analysis (see references); Helix's contribution is the full extortion kill chain wrapped around it. Initial contact is voice phishing in which the operator impersonates the target's actual manager by name on a spoofed caller-ID and talks them through entering a device code into Chrome — the session token is captured without any password crossing the phone line, and the device-code flow bypasses Conditional Access (ReliaQuest, 2026-07-08; BleepingComputer, 2026-07-09). Persistence is deliberately minimal and hard to spot: the operator registers a new MFA Authenticator on the account, typically within minutes of sign-in, from the same residential proxy used for access — "the only persistence artifact is a legitimate MFA registration." Sign-in infrastructure is geo-matched to the target's real city to avoid impossible-travel alerts, rotating through 15+ residential IPs against a single mailbox. Collection is automated and identical across incidents — the operator issues contentclass:STS_Site and wildcard SharePoint searches to inventory reachable content, then bulk-downloads, using a python-requests user-agent from an IP reserved for exfiltration and never used for access. Dwell before mass exfil ranged from under an hour to over a week, a deliberate tuning to each environment's value and detectability. In at least one case the operator actively tested containment after the account was disabled, re-attempting MFA registration and a password reset.

Helix likely emerged from the “BlackFile” and “ShinyHunters” ecosystem. Groups fragment and rebrand, but the techniques and infrastructure persist across every iteration.

Device code phishing then sidesteps Conditional Access policies, and automated tools enumerate and mass-download SharePoint libraries before bulk exfiltration triggers an alert.

Disabling device code authentication is the single highest-impact action.

ReliaQuest 2026-07-08

Builds on: 2026-07-10/m365-conditional-access-gaps-railway-lshiy-campaigns

threat10 Jul 12:53Zmulti-sourceOpen finding ↗