PROBABLYPWNED
Threat IntelligenceJuly 9, 20265 min read

Helix Vishing Group Emerges From BlackFile Ashes, Targets SharePoint

New data extortion group Helix uses vishing and device code phishing to steal SharePoint data from Medtronic, Nissan, and others. ReliaQuest links infrastructure to defunct BlackFile.

Alex Kowalski

A new data extortion group calling itself Helix has surfaced with a playbook that combines voice phishing, device code authentication abuse, and automated SharePoint enumeration to steal corporate data at scale. Security researchers at ReliaQuest believe the group emerged from the remnants of BlackFile, which shut down in April 2026.

Helix has already claimed victims including Medtronic, Nissan, NAIC, Kodak, Infinite Campus, and Nottingham University.

The Attack Chain

Helix operators begin by calling targets directly, often spoofing a direct manager's name and caller ID to establish credibility. The pretext varies, but the goal remains consistent: convince the victim to complete a device code authentication flow.

This technique bypasses conditional access policies entirely. The victim never types a password—instead, they enter a code displayed on a phishing page into Microsoft's legitimate authentication portal. The session token goes straight to the attacker.

We covered the 1,380% surge in device code phishing last month, and Helix represents exactly the threat pattern researchers warned about.

Within minutes of gaining access, operators register their own MFA authenticator on the compromised account. This persistence mechanism uses the same residential proxy or IPv6 address as the initial access, helping it blend with the legitimate session.

SharePoint Pillaging at Scale

Once inside, Helix pivots to automated data collection. ReliaQuest observed enumeration traffic originating from IP 179.43.185[.]230 using a python-requests/2.28.1 user-agent. The operators issue SharePoint searches with contentclass:STS_Site filters and wildcard queries to inventory all reachable content.

Dwell time varies dramatically—from under an hour in smash-and-grab operations to multiple weeks when the target warrants deeper exploration. Exfiltration happens through a separate infrastructure tier: while initial access uses geo-matched residential proxies to avoid impossible-travel alerts, bulk downloads route through dedicated hosting at AS 51852.

Infrastructure Ties to BlackFile and ShinyHunters

The technical fingerprints suggest Helix inherited more than just tactics from its predecessors. The group's primary exfiltration IPs sit just four addresses apart from infrastructure previously linked to BlackFile operations on the same autonomous system (Private Layer INC).

Domain registration patterns also overlap. Helix uses NICENIC as its registrar—the same provider favored by ShinyHunters campaigns and the broader Scattered Spider ecosystem. This isn't coincidence; these groups share operational playbooks and, in some cases, personnel.

The timing reinforces the connection. BlackFile's April 2026 shutdown produced successor brands within weeks, including Pink and Redact. Helix follows the same pattern with identical kill chain techniques: vishing for initial access, device code phishing to capture tokens, MFA abuse for persistence, and SharePoint targeting for monetization.

Parallel Threats: Pink Passkey Attacks

Helix operates alongside another vishing group that poses an even more sophisticated threat to Microsoft 365 environments. As we reported earlier today, Pink is targeting Entra passkey enrollment through operator-controlled phishing kits that adapt to each victim's MFA configuration in real time.

The two campaigns share motivation—data extortion—but differ in execution. Where Helix relies on device code flows, Pink specifically targets the passkey enrollment process, tricking users into registering attacker-controlled passkeys that provide persistent, nearly undetectable access.

Okta threat intelligence has observed Pink targeting organizations across food and beverage, technology, healthcare, automotive, construction, and aviation industries. The group launched a public leak site on May 31, 2026, to pressure victims into paying.

Why Vishing Works

The surge in voice-based attacks isn't accidental. CrowdStrike documented a 442% increase in vishing activity between the first and second halves of 2024, and volume through H1 2025 already exceeded the full previous year.

Vishing succeeds where email phishing increasingly fails because it exploits human psychology differently. Caller ID spoofing creates immediate trust, and real-time phone conversations don't give victims the pause that a suspicious email might. Understanding these techniques requires recognizing how social engineering exploits human behavior rather than technical vulnerabilities.

The attacks also evade technical controls designed for web-based threats. Secure email gateways, URL sandboxing, and browser isolation do nothing against a phone call.

Defensive Recommendations

ReliaQuest identifies disabling device code authentication as the single highest-impact mitigation. For organizations that cannot disable it entirely, restricting the flow to managed devices significantly reduces risk.

Additional defenses include:

  • Restrict SharePoint access to managed endpoints only
  • Block communications with newly registered domains
  • Monitor for anomalous user-agent strings during SharePoint access
  • Implement out-of-band verification for any authentication requests received by phone
  • Treat residential proxy traffic with suspicion during sensitive operations

Indicators of Compromise

IndicatorType
179.43.185[.]230IP Address
179.43.171[.]42IP Address
179.43.185[.]226IP Address
oskeysync[.]comDomain
python-requests/2.28.1User-Agent
AS 51852 (Private Layer INC)Hosting

Organizations should also monitor for contentclass:STS_Site search patterns and wildcard queries in SharePoint audit logs, particularly when combined with bulk download activity from unfamiliar IPs.

For broader context on emerging threats, follow our cybersecurity news coverage.

Related Articles