Start your day with intelligence. Get The OODA Daily Pulse.

Home > Briefs > Cyber > New Helix vishing group emerges in SharePoint data theft attacks

New Helix vishing group emerges in SharePoint data theft attacks

A new data-extortion group called Helix is using identity-focused tactics such as voice phishing (vishing), device code phishing, and multi-factor authentication (MFA) abuse to steal data from SharePoint environments. Initial contact is made through vishing. In some cases, the threat actor called employees while impersonating their manager, using either the manager’s name or caller ID spoofing to appear legitimate. The purpose is to trick the target into device-code phishing schemes to gain access to their accounts. Once inside, Helix operators quickly register a new multi-factor authenticator app for persistence, then browse and enumerate SharePoint before exfiltrating files. According to researchers at cybersecurity firm ReliaQuest, the stolen data is typically used to extort victim organizations by threatening to publish it unless a ransom is paid, or it is sold to other cybercriminals.

Full report : New Helix vishing group emerges in SharePoint data theft attacks.