Skip to content

New Threat Group Helix Uses Voice Phishing for SharePoint Data Theft

Key point: Helix relies on voice calls and MFA bypass instead of malware to obtain SharePoint credentials and extort data.

The threat group Helix employs identity-focused attack methods such as voice phishing, device code phishing, and MFA abuse to steal data from SharePoint environments. The group operates as an extortion actor and targets companies with valuable document holdings.

The new threat group Helix combines classic social engineering techniques with modern authentication mechanisms. The approach begins with voice phishing calls, in which attackers pose to employees as internal or external trusted contacts. The goal is to obtain login credentials or one-time passcodes.

In parallel, the group runs device code phishing campaigns, a method in which users are prompted on fraudulent authentication pages to enter device codes. This compromises OAuth tokens that grant access to Microsoft 365 resources. If MFA authentication is disabled or poorly configured, this significantly simplifies attacker access.

For CISOs, this represents an elevated risk in securing cloud storage solutions. Helix focuses on environments where employees work with SharePoint and store sensitive or business-critical data there. After successful data theft, the group extorts the companies by threatening to publish the stolen information.

Required countermeasures include strict MFA policies, training to recognize voice phishing, and monitoring for abnormal token activities. Additionally, access logs should be reviewed for mass downloads from SharePoint.


Source: www.bleepingcomputer.com · Published July 9, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.

Share on: