Helix Vishing Attacks: What Australian Businesses Need to Know in 2026
Helix vishing attacks represent a dangerous new threat targeting organisations across Australia and globally, combining voice phishing with sophisticated identity-focused tactics to steal sensitive data from SharePoint environments. This emerging data-extortion group, first identified in July 2026, has demonstrated alarming effectiveness in bypassing traditional security controls through social engineering and multi-factor authentication abuse.
For Australian businesses relying on Microsoft 365 and SharePoint for collaboration, this threat demands immediate attention. The Helix group’s methodology signals a significant evolution in how cybercriminals target corporate data, moving beyond traditional malware to exploit human vulnerabilities and trusted authentication mechanisms.
“A new data-extortion group called Helix is using identity-focused tactics such as voice phishing (vishing), device code phishing, and multi-factor authentication (MFA) abuse to steal data from SharePoint environments.”
— Source: BleepingComputer
What Happened: The Emergence of Helix Group
Security researchers have uncovered a new threat actor operating under the name Helix, specialising in data theft and extortion campaigns. Unlike ransomware groups that encrypt files, Helix focuses exclusively on exfiltrating sensitive information from SharePoint environments before demanding payment to prevent public disclosure.
The group’s operations were first documented in early July 2026, with multiple confirmed victims across various industries. Their targeting of SharePoint—a platform used by over 200 million users worldwide—makes this threat particularly concerning for enterprises storing confidential documents, intellectual property, and customer data in cloud collaboration tools.
Initial Access Techniques
Helix employs a multi-pronged approach to gain initial access:
- Voice phishing (vishing): Attackers call employees impersonating IT support staff, convincing them to provide credentials or approve authentication requests
- Device code phishing: Victims are tricked into entering attacker-controlled device codes into legitimate Microsoft authentication pages
- MFA fatigue attacks: Repeated authentication push notifications overwhelm users until they approve a malicious request
How Does the Helix Vishing Attack Work?
Understanding the Helix attack chain is crucial for developing effective defences. The group demonstrates sophisticated understanding of corporate security environments and human psychology.
Phase 1: Reconnaissance and Targeting
Attackers identify high-value targets through LinkedIn profiles, company websites, and data from previous breaches. They focus on employees with access to sensitive SharePoint repositories, including finance, legal, and executive assistants.
Phase 2: Voice Phishing Execution
The attacker places a convincing phone call, typically claiming to be from the internal IT helpdesk or Microsoft support. Common pretexts include:
- Urgent security updates requiring immediate authentication
- Suspicious activity detected on the user’s account
- Mandatory compliance verification procedures
Phase 3: Authentication Bypass
During the call, attackers guide victims through authenticating on attacker-controlled infrastructure or approving MFA prompts. Device code phishing is particularly effective because victims enter codes on legitimate Microsoft pages, reducing suspicion.
Phase 4: Data Exfiltration
Once authenticated, attackers rapidly enumerate SharePoint sites and download sensitive documents using automated tools. The entire exfiltration process can occur within minutes of gaining access, often before security teams can respond.
Business Impact of SharePoint Data Theft
The consequences of a successful Helix vishing attack extend far beyond immediate data loss. Australian organisations face multiple categories of risk.
Financial Consequences
- Extortion demands ranging from tens of thousands to millions of dollars
- Incident response and forensic investigation costs
- Potential regulatory fines under the Privacy Act 1988 and Notifiable Data Breaches scheme
- Business interruption during investigation and remediation
Reputational Damage
Data extortion groups increasingly publish stolen information on leak sites when victims refuse payment. Public exposure of confidential business documents, customer data, or internal communications can permanently damage stakeholder trust and competitive positioning.
Regulatory Obligations
Australian businesses experiencing eligible data breaches must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals. Failure to comply carries significant penalties, particularly following recent strengthening of privacy legislation.
Actionable Recommendations to Prevent Helix Vishing Attacks
Protecting your organisation requires a layered approach addressing both technical controls and human factors. Consider implementing the following measures immediately.
Technical Controls
- Implement phishing-resistant MFA: Deploy FIDO2 security keys or certificate-based authentication instead of SMS or push notifications
- Disable device code authentication: If not required, block this authentication flow in Azure AD/Entra ID
- Enable Conditional Access policies: Restrict SharePoint access based on device compliance, location, and risk signals
- Configure alerting for mass downloads: Monitor and alert on unusual file access patterns in SharePoint
- Implement Data Loss Prevention (DLP): Prevent bulk exfiltration of sensitive document types
Human-Centric Defences
- Conduct regular security awareness training specifically addressing vishing scenarios
- Establish clear verification procedures for IT support requests
- Create a culture where employees feel comfortable questioning unexpected calls
- Implement callback verification for any requests involving authentication
If your organisation needs assistance evaluating exposure to identity-based attacks, our vulnerability management services can identify gaps in your Microsoft 365 security configuration.
Frequently Asked Questions
What is a vishing attack and how does it differ from phishing?
Vishing, or voice phishing, uses phone calls instead of emails to deceive victims. Attackers exploit the urgency and personal nature of voice communication to bypass the scrutiny people typically apply to suspicious emails. Helix vishing attacks combine phone calls with technical exploitation of authentication mechanisms, making them particularly effective against trained employees.
How can I protect my business from SharePoint data theft?
Protecting SharePoint requires multiple layers: implement phishing-resistant MFA such as FIDO2 keys, configure Conditional Access policies, enable audit logging and anomaly detection, train employees on vishing tactics, and establish verification procedures for IT support calls. Regular security assessments help identify configuration weaknesses before attackers exploit them.
What should I do if my organisation has been targeted by Helix?
Immediately isolate compromised accounts, revoke active sessions, and engage your incident response team or a trusted cybersecurity partner. Preserve logs for forensic analysis, assess the scope of accessed data, and prepare for potential notification obligations. Do not engage directly with extortion demands without professional guidance. Speak with our security team for immediate assistance.
Key Takeaways
- Helix is a new data-extortion group using voice phishing, device code phishing, and MFA abuse to steal SharePoint data
- The group bypasses traditional security controls by targeting human vulnerabilities and legitimate authentication mechanisms
- Australian businesses face financial, reputational, and regulatory consequences from successful attacks
- Phishing-resistant MFA (FIDO2/passkeys) provides the strongest protection against these identity-focused attacks
- Employee awareness and verification procedures are essential complements to technical controls
Conclusion: Staying Ahead of Helix Vishing Threats
The emergence of Helix vishing attacks underscores a critical shift in the threat landscape. Cybercriminals increasingly recognise that exploiting human trust and legitimate authentication systems offers higher success rates than traditional malware. Australian organisations must adapt their defences accordingly.
Protecting against identity-focused threats requires combining robust technical controls with comprehensive employee education. By implementing phishing-resistant authentication, monitoring SharePoint access patterns, and training staff to recognise vishing tactics, businesses can significantly reduce their exposure to this emerging threat.
Don’t wait until your organisation becomes a victim. Assess your Microsoft 365 security posture today and ensure your team knows how to respond when attackers call.
