Hackers Use Device Code Phishing to Replay Sessions and Register MFA for Persistence
Threat researchers have uncovered a new data extortion group named “Helix” that bypasses traditional security perimeters without deploying a single piece of malware. Emerging from the remn

Threat researchers have uncovered a new data extortion group named “Helix” that bypasses traditional security perimeters without deploying a single piece of malware. Emerging from the remnants of well-known extortion operations such as BlackFile and ShinyHunters, Helix focuses exclusively on identity-based attacks. By exploiting human trust and abusing legitimate authentication flows, the group silently exfiltrates […] The post Hackers Use Device Code Phishing to Replay Sessions and Register MFA for Persistence appeared first on Cyber Security News.
Threat researchers have uncovered a new data extortion group named “Helix” that bypasses traditional security perimeters without deploying a single piece of malware. Emerging from the remnants of well-known extortion operations such as BlackFile and ShinyHunters, Helix focuses exclusively on identity-based attacks. By exploiting human trust and abusing legitimate authentication flows, the group silently exfiltrates sensitive data from corporate SharePoint environments. The attack chain begins with highly targeted voice phishing, commonly known as vishing. Helix operators conduct extensive reconnaissance on a target organization, allowing them to impersonate direct managers during phone calls with high-visibility employees. Over the phone, the attacker smoothly guides the victim into entering a Microsoft device code into their browser. This clever social engineering tactic allows the attacker to capture a valid session token via the device code flow without ever requesting the victim’s password. Device Code MFA Persistence Armed with the stolen session token, the attacker replays it to access the environment from an unmanaged device. To avoid triggering “impossible travel” security alerts, Helix uses residential proxies that are geographically matched to the victim’s real city. Within minutes of gaining initial access, the operator quietly registers a new Multi-Factor Authentication (MFA) app to the compromised account. This legitimate MFA registration provides the attacker with durable, nearly invisible persistence inside the network. Once their foothold is secure, the threat actor enters a dwell phase that can last anywhere from a few hours to over a week. They interactively browse SharePoint sites and cloud storage to understand the environment’s value. Finally, Helix pivots to heavily automated collection. Using Python-based tools, the attackers run wildcard searches to inventory all reachable SharePoint files before executing a massive bulk download to an external server. Because Helix operates entirely through valid sessions and legitimate identity protocols, traditional endpoint security solutions often miss the intrusion. Once an attacker bypasses MFA and captures a session, incident responders have a very short window to act before data exfiltration begins. Security teams must move quickly to terminate active sessions, deactivate the compromised accounts simultaneously across cloud and on-premises environments, and force complete password resets, reliaquest said. Indicators of Compromise ArtifactTypeDetails179.43.185[.]230IP AddressExfiltration IP179.43.185[.]226IP AddressIP Previously Associated with BlackFileoskeysync[.]comDomainPhishing Domain Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. The post Hackers Use Device Code Phishing to Replay Sessions and Register MFA for Persistence appeared first on Cyber Security News.
Join the Discussion
Comments coming soon. Follow us on social media for real-time discussions.


