'Helix' data-extortion cluster pairs manager-impersonation vishing with device-code phishing and automated SharePoint exfiltration
ReliaQuest's Threat Research team published (2026-07-08) a spotlight on Helix, a data-extortion cluster it assesses as a likely continuation of the now-fragmented BlackFile (UNC6671) operation and the broader ShinyHunters ecosystem — an assessment resting on a shared credential-harvesting-domain registrar (also used by the Scattered Spider/"The Com" community) and an exfiltration host four addresses away, on the same autonomous system, from a confirmed BlackFile address two months earlier (ReliaQuest, 2026-07-08). ReliaQuest is explicit that this is likely-ecosystem-continuation, not confirmed attribution — but "organizations already tracking those groups should treat Helix as an extension of the same data extortion campaigns."
The device-code-phishing-defeats-Conditional-Access primitive itself was covered earlier today in the Huntress Railway/LSHIY analysis (see references); Helix's contribution is the full extortion kill chain wrapped around it. Initial contact is voice phishing in which the operator impersonates the target's actual manager by name on a spoofed caller-ID and talks them through entering a device code into Chrome — the session token is captured without any password crossing the phone line, and the device-code flow bypasses Conditional Access (ReliaQuest, 2026-07-08; BleepingComputer, 2026-07-09). Persistence is deliberately minimal and hard to spot: the operator registers a new MFA Authenticator on the account, typically within minutes of sign-in, from the same residential proxy used for access — "the only persistence artifact is a legitimate MFA registration." Sign-in infrastructure is geo-matched to the target's real city to avoid impossible-travel alerts, rotating through 15+ residential IPs against a single mailbox. Collection is automated and identical across incidents — the operator issues contentclass:STS_Site and wildcard SharePoint searches to inventory reachable content, then bulk-downloads, using a python-requests user-agent from an IP reserved for exfiltration and never used for access. Dwell before mass exfil ranged from under an hour to over a week, a deliberate tuning to each environment's value and detectability. In at least one case the operator actively tested containment after the account was disabled, re-attempting MFA registration and a password reset.
Helix likely emerged from the “BlackFile” and “ShinyHunters” ecosystem. Groups fragment and rebrand, but the techniques and infrastructure persist across every iteration.
Device code phishing then sidesteps Conditional Access policies, and automated tools enumerate and mass-download SharePoint libraries before bulk exfiltration triggers an alert.
Disabling device code authentication is the single highest-impact action.
Defender actions
- Block or tightly scope the Entra ID device-code authentication flow tenant-wide — ReliaQuest names this the single highest-impact control, because it neutralises the session-token capture regardless of how convincing the vishing pretext is.
- Alert on a new MFA-authenticator registration occurring within minutes of a device-code sign-in from a residential-proxy IP the account has never used — that co-occurrence is Helix's persistence artifact and is otherwise indistinguishable from normal user activity.
- Hunt SharePoint/Graph access logs for enumeration using contentclass:STS_Site and wildcard search queries at automation speed from a non-browser (python-requests) user-agent, followed by bulk downloads — the automated-collection stage is the most reliable fingerprint.
ATT&CK mapping
4 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Initial Access TA0001
T1566.004Phishing: Spearphishing Voice
Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.
Persistence TA0003
T1098.005Account Manipulation: Device Registration
Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.
Privilege Escalation TA0004
T1098.005Account Manipulation: Device Registration
Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.
Credential Access TA0006
T1528Steal Application Access Token
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Collection TA0009
T1213.002Data from Information Repositories: Sharepoint
Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.