The Voice on the Line
Caller ID spoofing is a cheap trick, but it works. Your phone rings. The screen displays your manager's name. You pick up. The voice on the other end sounds urgent, demanding you complete a quick verification for an IT update. If you comply, your corporate network is toast. This isn't some hypothetical threat model from a slide deck. It's the primary access vector for Helix, a newly identified data-extortion group currently tearing through enterprise Microsoft 365 environments.
Cybersecurity researchers at ReliaQuest recently exposed this crew's operations. Helix doesn't bother with sophisticated zero-day exploits. Instead, they target the softest part of the enterprise: human trust. By pairing voice phishing (vishing) with employee impersonation, they bypass expensive perimeter defenses without triggering a single firewall alert. It's clean, cheap, and devastatingly effective. They use the manager's actual name to establish immediate authority, then trick the target into executing a device-code login flow. Once they're in, they don't just look around. They lock down their access, exfiltrate folders, and demand hefty ransoms under threat of publishing the files on the dark web or selling them to rival networks.
Inside the Device-Code Phish
The core mechanism of the Helix attack relies on abuse of the Microsoft 365 device code authentication flow. In a typical scenario, the attacker guides the victim to enter a specific code on a Microsoft login page. This flow was originally designed for smart TVs and headless devices that lack a keyboard, but threat actors have repurposed it into a lethal phishing mechanism.
When the user enters the code and completes the authentication, they inadvertently authorize the attacker's device to access their account. It bypasses conventional multi-factor authentication (MFA) entirely—the user does all the identity checks on their end. Immediately after gaining this initial foothold, Helix operators register a new MFA authenticator app. They do this within seconds. Even if the victim realizes their mistake later and resets their password, the attacker's newly registered MFA device remains active, allowing them to log back in at will. From an architectural perspective, this is a total failure state. A single momentary lapse in judgment grants long-term persistence in the tenant.
The Python Exfiltration Fingerprint
Once Helix establishes baseline persistence in Microsoft 365, their next target is almost always the corporate SharePoint environment. Rather than manually clicking through document libraries, they deploy automated tools to scan and exfiltrate data at scale. ReliaQuest identified a highly consistent technical fingerprint across multiple Helix incidents. This uniform exfiltration footprint makes the group identifiable, even when they attempt to hide their tracks.
First, they run automated directory searches. The operator leverages the SharePoint API, issuing wildcard (*) searches alongside contentclass:STS_Site queries. This inventories every single reachable document library, folder, and file across the entire enterprise. Second, the exfiltration itself is executed programmatically. Researchers tracked these bulk-download operations to a specific IP address: 179.43.185.230. Across different victims, the HTTP requests consistently utilized the user-agent python-requests/2.28.1. There is no subtlety here. It's a loud, brute-force scrape of corporate documentation, intellectual property, and employee records, all funneled back to the attackers' infrastructure.
Tracking the Lineage of Helix
Helix is new, but their playbooks are intimately familiar. Threat researchers strongly suspect that this group is a spin-off or evolution of older, established extortion syndicates. Specifically, the evidence points toward ShinyHunters and the now-defunct BlackFile group.
First, look at the timeline. BlackFile, which specialized in identity-focused social engineering and vishing, abruptly ceased operations in April 2026. Shortly after they went dark, Helix emerged, utilizing nearly identical infrastructure and tactical playbooks. The resource sharing is not just theoretical; ReliaQuest observed a Helix attack originating from the same autonomous system (AS 51852) that hosted known BlackFile infrastructure.
The links to ShinyHunters are also striking. ShinyHunters has been on a massive tear recently. Over the past month, they claimed responsibility for major breaches at Medtronic, Nissan, NAIC, Kodak, Infinite Campus, and Nottingham University. You can read about how they operated in past campaigns, such as How ShinyHunters Turned a PeopleSoft Flaw Into a Global Extortion Machine or check the details from ShinyHunters Exposes 450K Student Records in University of Nottingham Cyberattack. Helix uses the exact same playbook of targeting Microsoft 365 tenants and pillaging SharePoint databases, and both groups have relied on the NICENIC domain registrar to buy their attack domains. Other security analysts have suggested Helix might be linked to other spin-offs like Pink or Redact. Whichever name they go by, the techniques remain highly consistent.
Disabling the Vector: Architectural Defenses
As security architects, we have to look past the human element and fix the system design. Training employees not to fall for voice spoofing is useful, but it's not a sufficient defense-in-depth posture. The real vulnerabilities are the permissive defaults in identity providers.
The single most effective defense against Helix is to disable device code authentication entirely. Unless you have legacy, headless devices that absolutely require it, there is no reason to allow this authentication flow in your enterprise tenant. If an employee cannot enter a device code, the group's primary exploitation mechanism is broken.
Beyond that, restrict SharePoint access strictly to managed, compliant devices. If Helix attempts to exfiltrate files from a Python script running on a rogue server at IP 179.43.185.230, conditional access policies should block them immediately, regardless of whether they have a valid session token. Finally, block outbound network traffic to, and authentication requests from, newly registered domains. Because Helix relies on fresh infrastructure purchased through registrar networks like NICENIC, stopping communication with recently active domains limits their ability to conduct social engineering campaigns. Stop playing whack-a-mole with user awareness; lock down the identity controls at the source.