Helix Data Extortion Group Targets Microsoft 365 SharePoint

Helix targets Microsoft 365 via vishing and device code phishing to steal SharePoint data

The Helix data extortion group has emerged as a significant threat to Microsoft 365 environments, particularly those using SharePoint. By leveraging vishing and device code phishing, Helix attackers can evade traditional security measures and exfiltrate large volumes of sensitive corporate data.

How the Helix Attack Campaign Works

Helix distinguishes itself from other cyber extortion groups by focusing on identity abuse rather than malware delivery or noisy ransomware. Their attacks centre on gaining unauthorised access to Microsoft 365 accounts, with a strong emphasis on SharePoint data theft.

Attack Methods: Vishing and Device Code Phishing

The group employs two primary techniques:

  • Vishing (voice phishing): Attackers call employees, posing as IT staff or trusted partners, to manipulate victims into performing account-related actions.
  • Device code phishing: Victims are tricked into entering a device code on a legitimate Microsoft authentication page, unwittingly granting the attacker a session token.

By abusing these identity flows, Helix avoids traditional credential phishing or malware, which often trigger security alerts. The device code mechanism is particularly insidious because it relies on victim interaction to approve the attacker’s access.

Timeline and Known Impact

The Helix data extortion group’s activities were highlighted in early 2024, after several incidents involving Microsoft 365 tenants were reported. Security analysts first noticed the group’s preference for identity-based attacks rather than legacy malware or ransomware campaigns.

Targeted Products and Versions

Helix’s tactics specifically affect organisations using:

  • Microsoft 365 (all tenants and subscription tiers)
  • SharePoint Online (as part of Microsoft 365)

Any organisation utilising Microsoft’s cloud services, especially those with weak policies around device code flows, is at risk. There is no evidence that Helix exploits zero-day vulnerabilities; instead, they manipulate legitimate Microsoft authentication features.

Who is Affected

Incidents have impacted a range of organisations, from SMEs to large enterprises, with a particular focus on those with significant intellectual property and sensitive document repositories in SharePoint. Because the attack leverages social engineering, any user with access to valuable SharePoint libraries could be targeted.

Technical Details: From Social Engineering to Data Exfiltration

Helix’s campaign is notable for its speed and stealth. Instead of deploying ransomware, the attackers rapidly move from initial access to data theft, often before defenders are aware of the breach.

Device Code Phishing in Detail

The attack typically unfolds as follows:

  1. The attacker initiates a vishing call to a target, impersonating internal IT or a trusted service provider.
  2. The victim is instructed to visit the legitimate Microsoft device login page (such as https://microsoft.com/devicelogin).
  3. Under the guise of troubleshooting or setup, the victim is provided with a device code (controlled by the attacker) to enter on the site.
  4. Once entered, this device code links the attacker’s device to the victim’s account, granting a valid session token.
  5. With this token, the attacker gains direct access to Microsoft 365 resources, especially SharePoint libraries.
  6. The attacker then exfiltrates large volumes of corporate data, often within minutes to hours of initial access.

This approach bypasses many conventional security controls, such as password policies and some multi-factor authentication setups, because the victim is authenticating the attacker’s session through legitimate Microsoft workflows.

Detection and Response Challenges

The stealthy nature of device code phishing makes early detection difficult. Security teams may not see any typical signs of compromise, such as password changes, login attempts from unusual locations or malware signatures. Instead, attackers operate within the boundaries of valid user sessions, blending in with normal activity.

Current Exploitation Status

Active exploitation of this technique is ongoing, with multiple confirmed cases of data theft from SharePoint Online reported in the past several months. Analysts report a growing trend in extortion demands, where Helix threatens to leak exfiltrated corporate data unless ransoms are paid.

There is no evidence yet of malware payloads or ransomware encryption—Helix’s value lies in rapid data exfiltration and extortion, making them harder to detect through traditional security tools.

Why This Matters

The Helix campaign highlights the risks of relying solely on traditional security controls in cloud environments. By exploiting trusted authentication flows, attackers can bypass many defences. For any organisation using Microsoft 365 and SharePoint, this raises the urgency to review identity security and social engineering awareness.

What Organisations Should Do Now

  • Review and restrict device code authentication flows where possible.
  • Strengthen Conditional Access policies and harden multi-factor authentication settings.
  • Monitor SharePoint access logs for large or unusual data exports.
  • Educate staff about vishing and social engineering tactics used in device code phishing attacks.

Organisations should act promptly, as Helix’s tactics are likely to be adopted by other groups targeting cloud environments.

Originally reported by cybersecuritynews.com.

Share this bulletin

About the Author

Rob McBride Headshot - CyPro Partner and leading cyber security expert

Rob McBride

Partner

  • CISSP
  • ACA Chartered Accountant
  • MPhil
  • BSc
  • SOC 2
  • ISO 27001

Rob McBride

Rob is a Founding Partner at CyPro and a highly experienced CISO. Beginning his career with a successful tenure at Deloitte, Rob has since amassed a wealth of experience, notably serving as a cyber security advisor to the UK government and spearheading cloud security transformations for several global banks.

At CyPro, Rob leads the managed service business line, working extensively across multiple sectors including telecommunications, technology, higher education, travel, and retail. He is passionate about equipping small and medium-sized businesses (SMBs) with robust cyber security strategies to fuel their growth.

View Profile
Back to Bulletins
Category
Phishing & Social Engineering
Published
Jul 9 - 2026
Post Tags
Cypro firewall showing robust network security
Secure your business.
Elevate your security, accelerate your growth. We take care of cyber security for high-growth companies, at every stage of their journey.
Get in touch
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call