A new threat actor dubbed Helix has emerged, employing a combination of voice phishing (vishing), device code phishing, and multi-factor authentication (MFA) abuse to compromise SharePoint environments. The group focuses on identity-based tactics to gain initial access and exfiltrate sensitive data from targeted organizations.

According to reports, Helix's attacks involve social engineering campaigns where victims are tricked into divulging credentials or approving MFA prompts via phone calls. This vishing approach, coupled with device code phishing, allows the group to bypass standard authentication controls and infiltrate SharePoint document libraries.

While specific indicators of compromise or a full technical breakdown are not yet publicly available, the attack vector centers on exploiting human trust and authentication workflows. Helix appears to target organizations that rely heavily on SharePoint for collaboration and data storage, making data theft the primary objective.

Currently, no patches or vendor mitigations exist specifically for this threat, as Helix exploits standard authentication features rather than software vulnerabilities. Organizations are advised to strengthen MFA policies, implement phishing-resistant authentication methods, and educate employees about vishing risks to reduce the attack surface.

The emergence of Helix highlights a broader trend where extortion groups shift from traditional ransomware to pure data theft via identity attacks. As attribution remains unclear, cybersecurity teams should monitor for unusual authentication patterns and unexpected MFA approval requests in SharePoint logs.