Helix Vishing Group Emerges From BlackFile Ashes, Targets SharePoint
New data extortion group Helix uses vishing and device code phishing to steal SharePoint data from Medtronic, Nissan, and others. ReliaQuest links infrastructure to defunct BlackFile.
A new data extortion group calling itself Helix has surfaced with a playbook that combines voice phishing, device code authentication abuse, and automated SharePoint enumeration to steal corporate data at scale. Security researchers at ReliaQuest believe the group emerged from the remnants of BlackFile, which shut down in April 2026.
Helix has already claimed victims including Medtronic, Nissan, NAIC, Kodak, Infinite Campus, and Nottingham University.
The Attack Chain
Helix operators begin by calling targets directly, often spoofing a direct manager's name and caller ID to establish credibility. The pretext varies, but the goal remains consistent: convince the victim to complete a device code authentication flow.
This technique bypasses conditional access policies entirely. The victim never types a password—instead, they enter a code displayed on a phishing page into Microsoft's legitimate authentication portal. The session token goes straight to the attacker.
We covered the 1,380% surge in device code phishing last month, and Helix represents exactly the threat pattern researchers warned about.
Within minutes of gaining access, operators register their own MFA authenticator on the compromised account. This persistence mechanism uses the same residential proxy or IPv6 address as the initial access, helping it blend with the legitimate session.
SharePoint Pillaging at Scale
Once inside, Helix pivots to automated data collection. ReliaQuest observed enumeration traffic originating from IP 179.43.185[.]230 using a python-requests/2.28.1 user-agent. The operators issue SharePoint searches with contentclass:STS_Site filters and wildcard queries to inventory all reachable content.
Dwell time varies dramatically—from under an hour in smash-and-grab operations to multiple weeks when the target warrants deeper exploration. Exfiltration happens through a separate infrastructure tier: while initial access uses geo-matched residential proxies to avoid impossible-travel alerts, bulk downloads route through dedicated hosting at AS 51852.
Infrastructure Ties to BlackFile and ShinyHunters
The technical fingerprints suggest Helix inherited more than just tactics from its predecessors. The group's primary exfiltration IPs sit just four addresses apart from infrastructure previously linked to BlackFile operations on the same autonomous system (Private Layer INC).
Domain registration patterns also overlap. Helix uses NICENIC as its registrar—the same provider favored by ShinyHunters campaigns and the broader Scattered Spider ecosystem. This isn't coincidence; these groups share operational playbooks and, in some cases, personnel.
The timing reinforces the connection. BlackFile's April 2026 shutdown produced successor brands within weeks, including Pink and Redact. Helix follows the same pattern with identical kill chain techniques: vishing for initial access, device code phishing to capture tokens, MFA abuse for persistence, and SharePoint targeting for monetization.
Parallel Threats: Pink Passkey Attacks
Helix operates alongside another vishing group that poses an even more sophisticated threat to Microsoft 365 environments. As we reported earlier today, Pink is targeting Entra passkey enrollment through operator-controlled phishing kits that adapt to each victim's MFA configuration in real time.
The two campaigns share motivation—data extortion—but differ in execution. Where Helix relies on device code flows, Pink specifically targets the passkey enrollment process, tricking users into registering attacker-controlled passkeys that provide persistent, nearly undetectable access.
Okta threat intelligence has observed Pink targeting organizations across food and beverage, technology, healthcare, automotive, construction, and aviation industries. The group launched a public leak site on May 31, 2026, to pressure victims into paying.
Why Vishing Works
The surge in voice-based attacks isn't accidental. CrowdStrike documented a 442% increase in vishing activity between the first and second halves of 2024, and volume through H1 2025 already exceeded the full previous year.
Vishing succeeds where email phishing increasingly fails because it exploits human psychology differently. Caller ID spoofing creates immediate trust, and real-time phone conversations don't give victims the pause that a suspicious email might. Understanding these techniques requires recognizing how social engineering exploits human behavior rather than technical vulnerabilities.
The attacks also evade technical controls designed for web-based threats. Secure email gateways, URL sandboxing, and browser isolation do nothing against a phone call.
Defensive Recommendations
ReliaQuest identifies disabling device code authentication as the single highest-impact mitigation. For organizations that cannot disable it entirely, restricting the flow to managed devices significantly reduces risk.
Additional defenses include:
- Restrict SharePoint access to managed endpoints only
- Block communications with newly registered domains
- Monitor for anomalous user-agent strings during SharePoint access
- Implement out-of-band verification for any authentication requests received by phone
- Treat residential proxy traffic with suspicion during sensitive operations
Indicators of Compromise
| Indicator | Type |
|---|---|
| 179.43.185[.]230 | IP Address |
| 179.43.171[.]42 | IP Address |
| 179.43.185[.]226 | IP Address |
| oskeysync[.]com | Domain |
| python-requests/2.28.1 | User-Agent |
| AS 51852 (Private Layer INC) | Hosting |
Organizations should also monitor for contentclass:STS_Site search patterns and wildcard queries in SharePoint audit logs, particularly when combined with bulk download activity from unfamiliar IPs.
For broader context on emerging threats, follow our cybersecurity news coverage.
Related Articles
Pink Vishing Campaign Hijacks Entra Passkeys to Steal M365 Accounts
Threat actor O-UNC-066 runs voice phishing campaign tricking Microsoft 365 users into enrolling attacker-controlled Entra passkeys. Real-time MFA bypass enables full account takeover.
Jul 9, 2026Silent Ransom Gang Sends Fake IT Staff Into Law Firm Offices
Mandiant tracks UNC3753 hitting dozens of law firms via vishing and physical intrusions. Data theft to extortion in under one hour. FBI issues flash alert.
Jun 9, 2026FBI: Extortion Gang Walks Into Law Firms Posing as IT Staff
Silent Ransom Group escalates from vishing to physical infiltration. FBI FLASH alert warns 38+ law firms already breached, with operatives plugging USB drives into office computers.
May 28, 2026BlackFile Gang Uses Vishing to Hit Retail and Hospitality Orgs
New extortion group BlackFile impersonates IT helpdesks via phone calls to steal credentials and demand seven-figure ransoms. Targets include retail chains and hospitality companies.
Apr 26, 2026