"Automated enumeration and collection were identical across incidents and represent the most reliable fingerprint. Enumeration ran from 179.43.185[.]230 using the python-requests/2.28.1 user-agent," researchers at ReliaQuest write.
How Helix gains entry: vishing, impersonation, and device-code phishing
ReliaQuest's analysis describes a clear, identity-focused playbook: initial contact is made through voice phishing (vishing), often with the caller impersonating a victim's manager. The actor uses either the manager's name or caller ID spoofing to appear legitimate and to coerce the target into completing device-code phishing schemes designed to hand over account access.
Once the account is compromised, ReliaQuest observed operators quickly register a new multi-factor authenticator app for persistence. From that foothold, the operators move to enumerate SharePoint content and exfiltrate files.
SharePoint exfiltration: a distinct technical fingerprint
ReliaQuest identifies SharePoint data theft as Helix’s strongest technical fingerprint. The researchers say operators issued “contentclass:STS_Site and wildcard (*) SharePoint searches to inventory all reachable content, then bulk-downloaded from the same IP and user-agent.”
The automated enumeration and collection behavior was consistent across incidents, and ReliaQuest points to the specific exfiltration IP and HTTP client string — 179.43.185[.]230 and python-requests/2.28.1 — as reliable indicators to detect and block similar activity.
Where the data goes: extortion and resale
According to ReliaQuest, stolen SharePoint data has been used to extort organizations — with threats to publish material unless a ransom is paid — or to sell the data to other cybercriminals. The pattern fits a standard data-extortion model in which extraction of sensitive files is followed by monetization through extortion or secondary markets.
Connections to ShinyHunters and BlackFile
ReliaQuest believes Helix emerged from, or at least shares lineage with, the ShinyHunters and BlackFile data extortion operations, though the researchers explicitly state they did not find a definitive connection. Several strands support the hypothesis:
- Technique overlap with ShinyHunters: a very similar social engineering playbook — vishing, employee impersonation, targeting Microsoft 365, and stealing SharePoint data.
- Registrar reuse: the NICENIC registrar seen in past ShinyHunters campaigns also appeared in Helix activity.
- Infrastructure overlap with BlackFile: one Helix attack used an exfiltration IP address in the same autonomous system (AS 51852) that hosted a confirmed BlackFile IP address, suggesting shared resources.
The timing is notable: Helix emerged shortly after BlackFile ceased operations in April, and ReliaQuest points to that sequence as a potential continuation of the extinct operation. The researchers also mention Pink and Redact as possible successors in the same family of data-extortion actors.
Defensive measures ReliaQuest recommends
ReliaQuest identifies immediate defensive steps aimed squarely at the techniques Helix uses. Their highest-impact recommendation is to disable device code authentication where possible. Other specific mitigations include restricting SharePoint access to only managed devices and blocking interactions with newly registered domains, which Helix typically uses in its campaigns.
ReliaQuest's findings make clear that persistence hinges on adding an MFA authenticator and on automated, rapid enumeration; interrupting those stages reduces the value of an initial vishing compromise.
What this means for security teams, procurement leaders, and end users
- Security teams: Watch for the technical indicators ReliaQuest highlights — 179.43.185[.]230 and the python-requests/2.28.1 user-agent — and prioritize detection rules that flag bulk SharePoint searches (contentclass:STS_Site and wildcard queries) and rapid authenticator registrations.
- Procurement and IT leaders: Consider policies that restrict SharePoint access to managed devices and enforce domain reputation checks, particularly for newly registered domains that Helix favors in its social engineering lures.
- End users and employees: Be alert to vishing attempts that impersonate managers and to device-code requests; ReliaQuest recommends disabling device code authentication where feasible to remove one of the core exploitation paths.
ReliaQuest's report ties a precise technical signature to a social-engineering playbook that is both simple and effective. The combination — voice-based coercion to obtain device codes, rapid registration of an MFA app, and systematic SharePoint harvesting using distinct network and client fingerprints — gives defenders concrete artifacts to look for, even as it raises the prospect that earlier extortion groups have reconstituted under a new name. ReliaQuest did not find a definitive, single thread tying Helix to ShinyHunters or BlackFile, but the technique, registrar use, and overlapping infrastructure give investigators and defenders clear, actionable leads.




