A new data-extortion group named Helix is employing identity-focused tactics, including voice phishing (vishing), device code phishing, and multi-factor authentication abuse, to steal data from SharePoint environments, Bleeping Computer reports.Helix initiates contact through vishing, sometimes impersonating managers via caller ID spoofing, to trick targets into device-code phishing schemes for account access, according to a report by ReliaQuest. Once inside, attackers register new MFA apps for persistence, then enumerate and exfiltrate files from SharePoint. Researchers at ReliaQuest believe Helix may have links to the ShinyHunters and BlackFile data extortion groups due to shared techniques and infrastructure, such as the use of the NICENIC registrar and similar social engineering playbooks.The exfiltration of SharePoint data is considered Helix's strongest technical fingerprint. ReliaQuest recommends disabling device code authentication where possible, restricting SharePoint access to managed devices, and blocking newly registered domains to defend against these attacks.Source: Bleeping Computer
Identity

New Helix data extortion group uses identity-focused tactics to target SharePoint

(Adobe Stock)

Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



