In a nutshell: Helix combines voice phishing, device code phishing, and MFA manipulation to steal SharePoint data.
The threat group Helix steals data from SharePoint environments through identity-focused attacks such as voice phishing, device code phishing, and abuse of multi-factor authentication.
According to current findings, the new extortion group Helix deliberately employs identity-based attack methods to gain access to SharePoint systems. The group combines three techniques: voice phishing (phone calls under false pretences), device code phishing (abuse of device code flows), and circumvention of multi-factor authentication through manipulated users.
For Chief Information Security Officers, this represents a new attack class that bypasses traditional access protection measures. Voice phishing targets employees directly and exploits psychological manipulation tactics to extract credentials or authentication codes. Device code phishing exploits the fact that many users are careless with browser flows that require device code authentication.
Organisations should review their access policies with a focus on SharePoint security, in particular conditional access policies and anomaly detection. Training on social engineering and voice phishing is critical. Additionally, access to sensitive SharePoint data sources should be restricted through additional contextual factors (IP range, geolocation, device compliance).
Source: www.bleepingcomputer.com · Published 9 July 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.