Helix Group Uses Vishing for SharePoint Data Theft
New data-extortion group Helix employs vishing, impersonation of managers, device-code phishing and MFA abuse to gain access to victim SharePoint environments. Operators register new authenticators, enumerate files and exfiltrate data for extortion or sale. Multiple organizations targeted.
On July 9, 2026, a newly emerged cybercrime group called Helix began targeting organizations by using vishing calls and device-code phishing to steal files and documents from corporate SharePoint environments. Public reporting indicates that the attackers impersonate company managers, abuse multi-factor authentication, register new authenticators, enumerate sensitive data, and then extort victims or sell the stolen information. Anyone whose employer uses Microsoft SharePoint could have had personal or family-related documents exposed in these incidents.
Confirmed Attack Details
Available reporting describes Helix operators gaining initial access through voice phishing that tricks employees into approving fraudulent authentication requests. Once inside, they register rogue authenticators, bypass MFA, and systematically list and exfiltrate files from SharePoint document libraries. The group has struck multiple organizations, although the exact number of victims and total records exposed remains unknown at this time. Files and documents are the primary data types stolen, often containing contracts, employee records, or internal correspondence that can reveal personal details.
Why This Matters for You and Your Family
When your employer’s SharePoint environment is breached, documents containing your address, phone number, children’s names, or financial details can end up in criminal hands. These leaks rarely stay isolated. A single exposed work file can link your professional email to personal accounts, giving attackers the starting point for identity theft, account takeovers, or harassment directed at you or your family members. Multiple organizations targeted means the risk is not theoretical — it is actively occurring right now.
Doxxing and Identity-Chain Risks
Stolen SharePoint files frequently contain spreadsheets or PDFs that list employee contact information alongside family emergency contacts or dependent details. Attackers can combine this data with information already circulating on underground forums to build complete identity chains. One leaked work document can expose your home address, link it to your children’s names, and lead to doxxing attempts on social media or gaming platforms where family members use the same or similar credentials. This cascading effect turns a corporate breach into a household privacy crisis.
Helix Group Track Record
Public reporting attributes the emergence of Helix to mid-2026. The group is described as a new entrant in the data-extortion ecosystem. Its publicly known playbook relies on vishing, manager impersonation, device-code phishing, and MFA abuse to reach SharePoint repositories. Once inside, operators exfiltrate documents and either demand payment directly from the victim company or auction the data on dark-web markets. ReliaQuest and BleepingComputer have both documented this consistent pattern across Helix’s early campaigns.
What to do
- Run a DoxxScan to map every link between your work emails, personal handles, phone numbers, and real-world identity so you can see exactly what chains exist today.
- Rotate every password used at your employer’s SharePoint environment anywhere it has been reused, and switch to 2FA through an authenticator app instead of text messages.
- Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next leak exposing you or your family is caught and addressed in hours rather than months.
- Cover the household with DoxxScan family protection that extends to dependents and children’s gaming accounts, which often become the next target when credential leaks cascade into doxxing chains.
- Let remediation specialists handle takedown requests for any exposed personal information found in data-broker listings or extortion sites.
The incident shows that corporate systems holding your family’s information are under active attack through increasingly personal social-engineering methods. Staying ahead requires both immediate credential hygiene and ongoing visibility that ordinary consumers can actually use. DoxxScan by GalaxyWarden delivers continuous monitoring across 15.4 billion breach records and more than 100 platforms, AI-powered identity-chain mapping, hands-on remediation by specialists, and full household coverage that includes children’s gaming accounts vulnerable to the same credential-stuffing attacks that follow SharePoint leaks.
Related breaches
Everest ransomware claims breach of Liberty Mutual insurance data
The Everest ransomware group listed Liberty Mutual on its leak site, claiming theft of over 100 GB o…
Instructure Canvas LMS suffers massive data theft affecting 275M users
Education technology company Instructure confirmed a breach of its Canvas learning management system…
Crunchbase Massive Personal Records Leak — January 2026
ShinyHunters exfiltrated approximately 2 million records from the business-intelligence platform Cru…
A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.
⚠ Were you in this breach?
Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.
Check my email — free →