Identity

New Helix data extortion group uses identity-focused tactics to target SharePoint

Microsoft SharePoint app seen in App Store on the screen of ipad and blurred finger pointing at it.

A new data-extortion group named Helix is employing identity-focused tactics, including voice phishing (vishing), device code phishing, and multi-factor authentication abuse, to steal data from SharePoint environments, Bleeping Computer reports.

Helix initiates contact through vishing, sometimes impersonating managers via caller ID spoofing, to trick targets into device-code phishing schemes for account access, according to a report by ReliaQuest. Once inside, attackers register new MFA apps for persistence, then enumerate and exfiltrate files from SharePoint. Researchers at ReliaQuest believe Helix may have links to the ShinyHunters and BlackFile data extortion groups due to shared techniques and infrastructure, such as the use of the NICENIC registrar and similar social engineering playbooks.

The exfiltration of SharePoint data is considered Helix's strongest technical fingerprint. ReliaQuest recommends disabling device code authentication where possible, restricting SharePoint access to managed devices, and blocking newly registered domains to defend against these attacks.

Source: Bleeping Computer

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds