2026-07-10 · view entry permalink →
'Helix' data-extortion cluster pairs manager-impersonation vishing with device-code phishing and automated SharePoint exfiltration
ReliaQuest's Threat Research team published (2026-07-08) a spotlight on Helix, a data-extortion cluster it assesses as a likely continuation of the now-fragmented BlackFile (UNC6671) operation and the broader ShinyHunters ecosystem — an assessment resting on a shared credential-harvesting-domain registrar (also used by the Scattered Spider/"The Com" community) and an exfiltration host four addresses away, on the same autonomous system, from a confirmed BlackFile address two months earlier (ReliaQuest, 2026-07-08). ReliaQuest is explicit that this is likely-ecosystem-continuation, not confirmed attribution — but "organizations already tracking those groups should treat Helix as an extension of the same data extortion campaigns."
The device-code-phishing-defeats-Conditional-Access primitive itself was covered earlier today in the Huntress Railway/LSHIY analysis (see references); Helix's contribution is the full extortion kill chain wrapped around it. Initial contact is voice phishing in which the operator impersonates the target's actual manager by name on a spoofed caller-ID and talks them through entering a device code into Chrome — the session token is captured without any password crossing the phone line, and the device-code flow bypasses Conditional Access (ReliaQuest, 2026-07-08; BleepingComputer, 2026-07-09). Persistence is deliberately minimal and hard to spot: the operator registers a new MFA Authenticator on the account, typically within minutes of sign-in, from the same residential proxy used for access — "the only persistence artifact is a legitimate MFA registration." Sign-in infrastructure is geo-matched to the target's real city to avoid impossible-travel alerts, rotating through 15+ residential IPs against a single mailbox. Collection is automated and identical across incidents — the operator issues contentclass:STS_Site and wildcard SharePoint searches to inventory reachable content, then bulk-downloads, using a python-requests user-agent from an IP reserved for exfiltration and never used for access. Dwell before mass exfil ranged from under an hour to over a week, a deliberate tuning to each environment's value and detectability. In at least one case the operator actively tested containment after the account was disabled, re-attempting MFA registration and a password reset.
Helix likely emerged from the “BlackFile” and “ShinyHunters” ecosystem. Groups fragment and rebrand, but the techniques and infrastructure persist across every iteration.
Device code phishing then sidesteps Conditional Access policies, and automated tools enumerate and mass-download SharePoint libraries before bulk exfiltration triggers an alert.
Disabling device code authentication is the single highest-impact action.
Builds on: 2026-07-10/m365-conditional-access-gaps-railway-lshiy-campaigns