This is external threat intelligence from the ReliaQuest Threat Research team. The findings describe threats, vulnerabilities, and attacker activity affecting third parties and the broader threat landscape—not ReliaQuest's own environment. Nothing in this report should be interpreted as a vulnerability in ReliaQuest's systems or data.
Editor’s Note: This report was authored by Tristano Di Liberto, Alexa Feminella, and Daxton Wirth
Key Points
ReliaQuest identified a previously unreported group, “Helix,” running a multi-target data extortion campaign that uses vishing, device code phishing, and automated SharePoint exfiltration—all built on shared infrastructure.
Helix likely emerged from the “BlackFile” and “ShinyHunters” ecosystem. Groups fragment and rebrand, but the techniques and infrastructure persist across every iteration.
Disabling device code authentication is the single highest-impact action. Restricting sensitive software-as-a-service (SaaS) applications to managed endpoints and blocking newly registered domains close the remaining entry points this playbook depends on.
ReliaQuest has identified a data extortion group operating under the name "Helix." However, the playbook it runs and the identity gaps it exploits extend well beyond the group itself. Helix uses vishing to initiate contact—we've even seen the group spoof a target's direct manager by name on caller ID. Device code phishing then sidesteps Conditional Access policies, and automated tools enumerate and mass-download SharePoint libraries before bulk exfiltration triggers an alert. ReliaQuest has confirmed shared infrastructure across attacks on multiple targets, including a phishing domain with target-specific subdomains, suggesting a widespread campaign.
Helix's kill chain closely mirrors the now-defunct "BlackFile" (“UNC6671”), which fragmented into multiple successor operations, including "Pink" and "Redact,"[i] after shutting down in April 2026. The phishing domain is registered through a registrar previously used in campaigns from both BlackFile and “ShinyHunters” (“UNC6661”), a prominent data extortion group. Whether Helix is a direct continuation or an adjacent actor running the same playbook, the resemblance is hard to dismiss. SharePoint has become a primary exfiltration target across the data extortion landscape, and the identity-based entry techniques Helix uses (vishing, device code phishing, MFA abuse) are now shared tradecraft across multiple campaigns.
In this report, we:
Assess Helix’s likely ties to the BlackFile and ShinyHunters ecosystem based on infrastructure, tradecraft, and timing.
Break down the full kill chain and connect it to the broader wave of SharePoint-targeting campaigns across the data extortion landscape.
Provide hardening guidance for the identity and access gaps Helix is actively exploiting.
Helix Emerges as BlackFile Fragments
The links between Helix and the established BlackFile and ShinyHunters ecosystems stop short of confirmed attribution. But the overlap in infrastructure, tradecraft, and timing is substantial enough that organizations already tracking those groups should treat Helix as an extension of the same data extortion campaigns they're defending against. Attribution matters when a new name surfaces, but the bigger picture is that the data extortion ecosystem is fragmenting into smaller operations faster than defenders can map them. BlackFile's shutdown produced at least three successor brands in under three months, and the infrastructure patterns and tradecraft signatures are proving more durable than any group name.
BlackFile, ShinyHunters, and the Ecosystem Helix Emerged From
After BlackFile shut down in April 2026, Pink and Redact emerged within weeks, running the same playbook. ReliaQuest assessed at the time that Pink wasn't fully independent, but a new front tied to the original ecosystem. Days before Helix activity surfaced, Redact publicly distanced itself from a former BlackFile member. The relationship between BlackFile and ShinyHunters has itself been contested; BlackFile has stated the two operations aren't connected, despite substantial overlap in tactics, techniques, and procedures (TTPs); targeting; and the broader data extortion model. Helix complicates that picture by carrying indicators that point toward both operations.
The vishing-led entry and branded subdomain impersonation are shared tradecraft across the broader ecosystem. Both ShinyHunters and BlackFile have been documented using voice phishing for initial access and registering target-branded credential harvesting domains, with NICENIC identified as the preferred registrar for the network known as “Scattered Spider” or “The Com”—a loose community of threat actors known for social engineering and data extortion. Helix's phishing domain, oskeysync[.]com, follows this exact pattern, registered through NICENIC with subdomains tailored to each target organization. Where the evidence points more narrowly toward BlackFile is the hosting. Helix's exfiltration IP address (179.43.185[.]230) sits on AS 51852 (Private Layer INC), the same autonomous system that hosted a confirmed BlackFile IP address (179.43.185[.]226) in April 2026—four addresses apart, same provider, two months apart.
The shared tradecraft (the registrar, kill chain, and social engineering approach) is consistent with the broader ecosystem but not uniquely attributable to any single group within it. The hosting proximity to a confirmed BlackFile IP address, combined with the timing of BlackFile's fragmentation, narrows the connection further. The alternative, that an entirely unrelated actor outside this ecosystem independently assembled the same infrastructure stack within weeks, is less consistent with the evidence. Whether Helix is a direct successor or an adjacent operator borrowing the same playbook, the operational overlap warrants treating it with the same urgency and detection priorities as BlackFile and ShinyHunters campaigns.
Inside the Helix Playbook
The following kill chain is reconstructed from Helix incidents investigated by ReliaQuest. The specific entry point varied across incidents, but the post-access sequence was consistent enough to map as a single playbook.
Reconnaissance
Helix likely researched each target organization before making contact, judging by the level of organizational detail the operator had when initiating calls. The operator knew the organizational chart and direct reports by name and built a pretext convincing enough to hold up on a live phone call, impersonating the target user's manager using their real contact details. Targeting consistently favored high-visibility employees, including executives, suggesting the operators are pursuing the kind of broad access these roles hold.
The actor also tailored infrastructure to avoid detection. The residential proxy used for sign-in was geo-matched to targets’ real city, preventing an impossible-travel alert from firing. Over the dwell window, the operator rotated through more than 15 residential IP addresses against a single mailbox. That volume of legitimate-looking source addresses, combined with the target's own VPN and mobile-network activity, gave the operator cover to blend into normal login patterns.
Initial Access
Every confirmed case was identity-based. Helix registered a target-specific subdomain under the shared oskeysync[.]com parent domain to either harvest credentials or initiate a device code phishing flow.
In a confirmed vishing case, the caller impersonated the target user’s manager and walked them through entering a device code into Chrome. The target never shared a credential over the phone. The entire exchange was designed to capture a session token through the device code flow, giving the operator authenticated access without ever touching the password.
Sign-ins landed from unmanaged endpoints. One device was a Windows 10 host on Chrome with “Keep Me Signed In” selected, connecting from a residential IPv6 address. In another, SharePoint access went through with no recorded authentication method only six minutes after the actor completed MFA registration, suggesting the session token from the device code flow was replayed directly. Where vishing wasn’t confirmed, social engineering remains the working hypothesis given identical post-access behavior across all incidents.
Persistence
Helix established persistence by registering a new MFA Authenticator app on the target account, typically within minutes of the initial sign-in. Registration came from the same residential proxy or IPv6 address used for access. The only persistence artifact is a legitimate MFA registration, indistinguishable from normal user activity without additional context. The operator consistently chose the simplest persistence method available, and the hardest to detect and remove.
Dwell, Discovery, and Exfiltration
After establishing persistence, the operation moved through two phases: manual discovery followed by automated collection. Dwell time between them varied dramatically. One incident moved from access to mass exfiltration in under an hour, with MFA registration, SharePoint enumeration, and bulk download all occurring. Another spent one to two days interactively browsing SharePoint site landing pages and branding assets from a residential proxy before pivoting to automated tools. The longest ran over a week. The operator quietly read email from rotating residential IPs, exfiltrated from a cloud storage platform first, and only pivoted to SharePoint at the end. The variation suggests dwell is a deliberate operational choice tuned to the value and detectability of each environment, not a fixed timeline.
Automated enumeration and collection were identical across incidents and represent the most reliable fingerprint. Enumeration ran from 179.43.185[.]230 using the python-requests/2.28.1 user-agent. The operator issued contentclass:STS_Site and wildcard (*) SharePoint searches to inventory all reachable content, then bulk-downloaded from the same IP and user-agent. One critical operational tell: 179.43.185[.]230 was used only for exfiltration, never for initial access. The actor authenticated from a residential proxy geo-matched to the target, then pivoted to this IP for bulk collection.
Post-Compromise Behavior and Containment Evasion
Cleanup was minimal and inconsistent. Where cleanup activity was observed, the operator deleted a phishing-awareness notification email from the target's inbox. This behavior has been previously documented in the BlackFile and ShinyHunters operations, thought it may reflect common tradecraft rather than a direct link.
Standard response actions (password reset, session revocation, account disable) generally held. However, in at least one case the operator actively tested containment shortly after the account was disabled, attempting to re-register MFA and reset the password.
Step Up Your Defenses Against Identity-Based Exfiltration
ReliaQuest Approach
GreyMatter Agentic AI correlates isolated, low-fidelity events into a single intrusion narrative at machine speed. In this campaign, an unfamiliar sign-in, a new MFA registration, automated SharePoint enumeration, and bulk download from a hosted IP all fell inside a short window—under an hour in the fastest case. Stitching those signals together in real time is what separates early detection from a full-blown security incident.
GreyMatter Automated Response Playbooks address the core challenge this activity exposed: the attacker operated through a legitimate session and a newly registered MFA method, so there was no malware to quarantine. Automated containment here consists of terminating sessions, disabling users, and resetting passwords. This closes the window between access and exfiltration that the threat actor depends on.
ReliaQuest Detection Rules are continuously updated with the latest relevant threat intelligence, including rules targeting SharePoint site enumeration via contentclass:STS_Site and mass SharePoint downloads following suspicious device or MFA registration.
The core problem in every Helix intrusion was speed. The attacker captured a session through device code phishing, registered MFA within minutes, then sat quietly before automating exfiltration. The window between compromise and bulk SharePoint download is where containment must deliver. Pairing ReliaQuest detection rules with the following Automated Response Playbooks helps your organization cut mean time to contain (MTTC) threats to 5 minutes or less.
Terminate Sessions: Revokes all active sessions on the compromised account, invalidating the token captured through device code phishing. In the Helix intrusions, the attacker relied on persistent sessions from residential proxies to maintain access during the dwell period. Killing the session forces re-authentication, which blocks further access when combined with the actions below.
Disable Users: Disables the compromised account to prevent any further access. Speed matters here. In at least one Helix incident, the attacker attempted to re-register MFA and reset the password roughly 30 to 40 minutes after the account was disabled. In hybrid environments, ensure the disable is applied to both Entra ID and on-premises AD simultaneously to avoid the sync gap documented in this report.
Reset Password: Forces a credential reset to prevent re-authentication with the original password. In one Helix incident, a password reset succeeded on-premises but failed in the cloud because the account had already been disabled on the cloud side. Pair this with account disable and execute both across on-prem and cloud simultaneously.
For faster containment, configure these Playbooks to execute automatically upon detection, removing the manual approval step and reducing response time to seconds.
Your Action Plan
Helix's playbook runs through identity, not infrastructure, so every priority below targets the access path before exfiltration begins.
Disable device code authentication: This is the single highest-impact action. Device code phishing was the confirmed entry method across Helix intrusions, and disabling the flow eliminates the vector entirely. If business requirements prevent a full disable, restrict device code authentication to a narrow set of managed devices and monitor for anomalous device code requests.
Restrict sensitive software-as-a-service (SaaS) applications to managed endpoints only: Helix operators authenticated from unmanaged devices and registered MFA from them without restriction. Conditional access policies that require device compliance or domain join for SharePoint, Exchange, and other sensitive applications would have blocked post-compromise access at the session level.
Block newly registered domains: The phishing domain oskeysync[.]com and its target-specific subdomains were recently registered. Domain age filtering at the proxy or DNS layer catches infrastructure that most data extortion operators stand up days to weeks before a campaign. This isn't Helix-specific; it's a baseline control against the broader trend.
Key Takeaways and What’s Next
Helix, like many other active groups today, is identity-driven rather than malware-driven, a pattern ReliaQuest has seen consistently across 2025 and into 2026. It shows up in social-engineered access from residential proxies geo-matched to the target, MFA registration for persistence, automated SharePoint enumeration, and bulk exfiltration from a shared hosted IP. Organizations should expect this kill chain to remain in active use and spread as the broader data extortion ecosystem fragments and shares playbooks. ReliaQuest will continue to track related infrastructure and update detection coverage as the cluster evolves or a new group emerges.
IOCs
Artifact | Type | Details |
|---|---|---|
179.43.185[.]230 | IP Address | Exfiltration IP |
179.43.185[.]226 | IP Address | IP Previously Associated with BlackFile |
oskeysync[.]com | Domain | Phishing Domain |

