:

HELIX GROUP TARGETS SHAREPOINT WITH VISHING ATTACKS

INDUSTRY DESK2 MIN READ
THU, JUL 9, 2026

■ AI-SUMMARIZED FROM 1 SOURCE ▸ TIMELINE

A new data-extortion group called Helix is exploiting identity-focused tactics to infiltrate SharePoint environments and steal sensitive data. The group uses voice phishing, device code phishing, and MFA abuse to gain unauthorized access.

Who is Helix? Helix represents an emerging threat in the data-extortion landscape, focusing on identity compromise rather than traditional security vulnerabilities. The group targets organizations storing data in Microsoft SharePoint, a widely-used enterprise collaboration platform. Attack Methods Helix employs a sophisticated multi-layered approach: - Vishing (Voice Phishing): Social engineering calls to trick employees into revealing credentials or sensitive information. - Device Code Phishing: Exploiting the device authentication flow to obtain valid access tokens. - MFA Abuse: Leveraging compromised credentials to bypass multi-factor authentication protections. This combination allows attackers to establish legitimate access without triggering traditional security alerts. Operational Model As a data-extortion group, Helix likely follows the ransomware-as-a-service (RaaS) model, stealing data and threatening to publish it unless victims pay a ransom. By focusing on identity-based entry points, the group avoids detection systems designed to catch malware or network exploitation. Why SharePoint? SharePoint environments often contain centralized repositories of corporate documents, financial records, and proprietary information. Once inside, attackers can exfiltrate large volumes of data with minimal friction. Defense Recommendations Organizations should implement: - Security awareness training focused on vishing tactics - Conditional access policies requiring additional verification for sensitive data access - Monitoring for unusual device code authentication requests - Passwordless authentication where possible - Enhanced logging and detection for SharePoint access anomalies The emergence of Helix underscores a broader shift toward identity-focused attacks. As perimeter defenses strengthen, threat actors increasingly target the human and authentication layers where employees interact with systems.

■ SOURCES

Bleeping Computer

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.

3H AGOIndustry Desk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.

3H AGOSecurity Desk

Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.

6H AGOAI Desk

A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.

8H AGOIndustry Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.