Hackers shift tactics: Abusing identities to silently drain Cloud data
- Thảo Nguyên

- 1 day ago
- 3 min read
Instead of deploying loud ransomware attacks to lock down data as seen in the past, an emerging cybercriminal threat group known as Helix is drawing attention with a completely different tactic. This group focuses on abusing legitimate user identities to compromise corporate Microsoft 365 cloud environments. This approach allows their attacks to unfold silently, making them far more difficult to detect.
Tricking users to hijack access
Helix's operational method is unique: they do not rely on complex security vulnerabilities, choosing instead to manipulate human psychology. The group utilizes voice phishing (vishing) combined with phishing campaigns targeted directly at cloud services to obtain valid login credentials.
One of Helix's common tactics involves tricking victims into entering a device code. Many employees are completely unaware that entering this code is equivalent to granting bad actors full access to their accounts.
A typical case study: An attacker impersonated the victim's supervisor and instructed them to enter a device code into the Chrome browser. As a result, they hijacked an authenticated login session without ever knowing the user's password, effectively bypassing standard alerting systems.
Stealth tactics and maintaining persistence
Within minutes of gaining access to a victim's account, Helix proceeds to register a new Multi-Factor Authentication (MFA) device. This action allows them to establish a persistent backdoor, enabling them to return at any time without continuously triggering suspicious behavior alerts.

According to findings from analysts at ReliaQuest, the group also sophisticatedly utilizes networking techniques to evade security monitoring systems:
Creating sophisticated traps: Registering target-specific subdomains under a broader phishing domain.
Spoofing locations: Utilizing residential proxies with geographic locations that match the city where the victim resides.
Erasing tracks: Continuously rotating login IP addresses to blend in with the normal day-to-day access activities of legitimate employees.
SharePoint - The targeted data "Goldmine"
Once firmly entrenched within the Microsoft 365 environment, Helix moves into the data discovery and collection phase. The central and most lucrative target in their attacks is SharePoint document libraries.
Depending on the scenario, data exfiltration speeds can vary significantly:
Smash-and-grab attacks: In some cases, it takes attackers less than an hour to progress from initial breach to mass data downloading.
Patient persistence: In other instances, they spend days quietly reading emails and browsing internal sites to prepare for a large-scale data exfiltration operation.
Helix typically conducts initial manual browsing before deploying automated tools to enumerate entire SharePoint libraries, followed by bulk downloads via a dedicated IP address prepared for this purpose. Repositories containing sensitive documents - such as contracts, internal plans, legal records, or customer data - are suddenly transformed into leverage for extortion.
Defensive measures and reducing attacker opportunities
Many organizations still view SharePoint as a low-risk collaboration tool, which inadvertently lowers their guard against data extortion groups. To counter this form of identity abuse, the most direct and proactive security measures include:
Disabling device code authentication if it is not strictly required by the organization.
Limiting access to sensitive cloud services, allowing connections only from corporate-managed devices.
Proactively blocking newly registered domains before they can be weaponized as phishing tools.
Additionally, standard Incident Response steps such as resetting passwords, revoking active sessions, and locking accounts remain highly effective. However, the greatest challenge is the extremely narrow response window. Attackers react swiftly; in a real-world scenario, immediately after an account was locked, they instantly attempted to re-register MFA and reset the password.转 Consequently, response actions must be executed simultaneously and rapidly across both cloud identity providers and on-premises systems.
Helix's extortion model thrives by exploiting trust, time constraints, and familiar corporate cloud services. To detect and prevent these incidents early, security teams must monitor for Indicators of Compromise (IoCs) such as phishing IPs/domains, sequences of device code registrations and new MFA setups, the use of residential proxies matching the victim's location, or anomalous subdomains. A single well-crafted vishing call and one device code are all it takes to throw wide open the doors to a large-scale data breach - all without leaving a single trace of malware.










Comments