Helix vishing and SharePoint data-extortion campaign
Campaign
Summary
Hide ▲
Show ▼
The Helix campaign is using vishing, device-code phishing, and MFA abuse to break into SharePoint environments and steal files, exposing victim organizations to extortion. Operators then add a new authenticator app for persistence and rapidly enumerate content before exfiltration. The stolen data can be used to threaten publication or sold to other cybercriminals.
Related Happenings
Forg365-ForgCookie alliance reshapes ransomware ecosystem operations
Threat Actor Meta
H score37
First: 09.07.2026 17:39
Last: 09.07.2026 17:39
Sources 1
About this happening:
**Forg365** is a **phishing-as-a-service (PhaaS)** operation built to steal **Microsoft 365** accounts with **AiTM** and **device-code phishing**, increasing credential-theft risk...
Forg365-ForgCookie alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: **Forg365** is a **phishing-as-a-service (PhaaS)** operation built to steal **Microsoft 365** accounts with **AiTM** and **device-code phishing**, increasing credential-theft risk...
Pink new extortion brand within The Com
Threat Actor Meta
H score30
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
About this happening:
A new **Pink** extortion brand has emerged within **The Com**, signaling a more decentralized criminal ecosystem that can scale credential theft and data extortion across multiple...
Pink new extortion brand within The Com
Threat Actor MetaAbout this happening: A new **Pink** extortion brand has emerged within **The Com**, signaling a more decentralized criminal ecosystem that can scale credential theft and data extortion across multiple...
Icarus Salesforce data-theft extortion campaign
Campaign
H score42
First: 18.06.2026 17:19
Last: 18.06.2026 17:19
Sources 1
About this happening:
The **Icarus** extortion campaign is actively stealing **Salesforce CRM data** from **multiple organizations**, expanding pressure on victims and showing a repeatable cloud-app ab...
Icarus Salesforce data-theft extortion campaign
CampaignAbout this happening: The **Icarus** extortion campaign is actively stealing **Salesforce CRM data** from **multiple organizations**, expanding pressure on victims and showing a repeatable cloud-app ab...
Latest development: 23.06.2026 16:58
LastPass says an unauthorized actor used OAuth tokens stolen from Klue to access LastPass customer data in its Salesforce environment, potentially exposing customer names, phone numbers, email addresses, physical addresses, support case information, and sales/CRM data; LastPass says its products, services, infrastructure, and customer vaults were not affected, rotated the exposed API/OAuth tokens, disabled employee access to Klue, and notified law enforcement.
BlackFile vishing extortion campaign targeting retail and hospitality organizations
Campaign
H score37
First: 24.04.2026 21:26
Last: 24.04.2026 21:26
Sources 1
About this happening:
The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
CampaignAbout this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
BlackFile victims' Salesforce and SharePoint data leak
Data Leak
H score35
First: 24.04.2026 21:26
Last: 24.04.2026 21:26
Sources 1
About this happening:
BlackFile's **stolen documents** were published on a **dark web leak site**, exposing employee and business records taken from **Salesforce** and **SharePoint** environments. The...
BlackFile victims' Salesforce and SharePoint data leak
Data LeakAbout this happening: BlackFile's **stolen documents** were published on a **dark web leak site**, exposing employee and business records taken from **Salesforce** and **SharePoint** environments. The...
Timeline
-
09.07.2026 20:08 2 articles · 5h ago
Helix steals SharePoint data using vishing and MFA abuse
Initial DisclosureHelix is identified as a new data-extortion group using voice phishing, device code phishing, and multi-factor authentication abuse to gain access to SharePoint environments, register a new multi-factor authenticator app for persistence, enumerate content, and exfiltrate files. The stolen data is then used to extort victim organizations or sold to other cybercriminals, and defenders are advised to disable device code authentication where possible, restrict SharePoint access to managed devices, and block newly registered domains.
Show sources
- New Helix vishing group emerges in SharePoint data theft attacks — www.bleepingcomputer.com — 09.07.2026 20:08
- New Helix vishing group emerges in SharePoint data theft attacks — www.bleepingcomputer.com — 09.07.2026 20:08