A new data-extortion group named Helix is stealing data from enterprise SharePoint environments by targeting human trust and legitimate login procedures, rather than exploiting software flaws. Analysis reported by BleepingComputer reveals the group's tactics mark a significant evolution in cyberattacks, moving from technical breaches to identity-based manipulation.

The Helix campaign employs sophisticated voice phishing (vishing) tactics. Attackers impersonate IT support staff to trick employees into handing over credentials or approving fraudulent access requests. Their method specifically weaponizes two Microsoft authentication features: device code authentication and Multi-Factor Authentication (MFA) push notifications. In one scenario, a user is convinced to generate a device code and share it, granting attackers access. In another, victims are bombarded with MFA prompts until they inadvertently approve one.

This approach has successfully enabled the group to exfiltrate sensitive data from SharePoint repositories. The attack illustrates a core reality: for many adversaries, the most vulnerable entry point is now the employee and the authentication workflows they are trained to follow. Traditional network defenses and standard MFA setups can be bypassed when a legitimate user is socially engineered into providing access from the inside.

For security teams, particularly in organizations using Microsoft 365, this demands a shift in defensive strategy. Protecting against Helix requires hardening human procedures and restricting risky authentication features. Experts recommend a three-pronged response:

First, conduct an immediate audit of device code authentication across the organization. Disable this feature for any user who does not have a strict operational need for it, thereby closing the primary vector exploited by Helix.

Second, establish and enforce a strict verification protocol for all unsolicited IT requests. Any call for a password reset or MFA approval must be independently confirmed through a separate, pre-established communication channel—such as calling the helpdesk number listed in the official company directory.

Third, replace generic security awareness training with targeted vishing simulations. Exercises should replicate the high-pressure scenarios used by Helix, such as urgent calls about a simulated account compromise, to build a "pause and verify" reflex in employees.

On the monitoring front, security operations centers must tune systems to detect behavioral anomalies following a potential social engineering incident. This includes flagging SharePoint access from atypical locations or bulk file downloads by non-administrators immediately after a reported support call.

This campaign also highlights a critical limitation of traditional data backups. While essential for recovering from ransomware, backups provide no defense against data theft. Helix’s goal is exfiltration, not encryption. Therefore, preventing the initial identity compromise through social engineering becomes the primary strategy for protecting data.

For organizations in Hong Kong and the region, the Helix operation is a clear indicator that the cybersecurity frontier has expanded. The battle to protect sensitive data now centers on defending and verifying user identity, as the most effective attack may simply be the one that asks for the keys.


一個名為 Helix 的新型數據勒索組織,正透過針對人類信任及合法登入流程(而非利用軟件漏洞),從企業 SharePoint 環境中竊取數據。BleepingComputer 報導的分析指出,該組織的攻擊手法標誌著網絡攻擊的重大演變——從技術入侵轉向基於身份的操控。

Helix 行動採用複雜的語音釣魚(vishing)策略。攻擊者假扮 IT 支援人員,欺騙員工交出登入憑證或批准虛假的存取請求。他們的方法特別針對 Microsoft 的兩項驗證功能:裝置代碼驗證及多重驗證(MFA)推送通知。在一種情境下,用戶被說服生成裝置代碼並分享,從而授予攻擊者存取權限。在另一種情境下,受害者會不斷收到 MFA 提示,直至他們不慎批准其中一項。

這套方法已成功讓該組織從 SharePoint 資料庫中竊取敏感數據。此次攻擊揭示了一個核心現實:對許多攻擊者而言,最脆弱的入侵點現在是員工及其受過訓練遵循的驗證流程。當合法用戶被社會工程手段誘使從內部提供存取權時,傳統網絡防禦及標準 MFA 設定都可能被繞過。

對安全團隊而言,尤其在使用 Microsoft 365 的組織中,這要求轉變防禦策略。防禦 Helix 需要強化人工流程並限制高風險的驗證功能。專家建議採取三管齊下的應對措施:

第一,立即對全組織的裝置代碼驗證進行稽核。為任何沒有嚴格營運需求的用戶禁用此功能,從而堵住 Helix 利用的主要向量。

第二,建立並強制執行嚴格的核實流程,以應對所有未經請求的 IT 請求。任何關於密碼重置或 MFA 核准的來電,必須透過獨立且預先建立的溝通渠道(例如撥打公司官方目錄中列明的 helpdesk 電話)進行核實。

第三,以針對性的語音釣魚模擬取代通用的安全意識培訓。演練應複製 Helix 使用的高壓情境,例如關於模擬賬戶被入侵的緊急來電,以在員工心中建立「暫停並核實」的反射動作。

在監控方面,安全運營中心必須調整系統,以偵測潛在社會工程事件後的行為異常。這包括立即標記來自非典型位置的 SharePoint 存取,或在通報支援來電後非管理員進行的批量檔案下載。

此行動亦凸顯了傳統數據備份的關鍵限制。雖然備份對於從勒索軟件中恢復至關重要,但它們對數據竊取毫無防禦作用。Helix 的目標是數據外洩,而非加密。因此,透過社會工程防範初始的身份入侵,成為保護數據的主要策略。

對香港及區內的組織而言,Helix 行動清楚表明網絡安全前線已經擴大。保護敏感數據的戰役,現已聚焦於防衛及核實用戶身份,因為最有效的攻擊可能僅僅是那個直接要求提供存取憑證的攻擊。

新聞來源 / Original News Source