T1213.004

Customer Relationship Management Software

Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data including personally identifiable information (PII) such as full names, emails, phone numbers, addresses, purchase histories, and IT support interactions. Once adversaries gain access to a victim organization — through credential theft, insider threat, or compromised integrations — they may systematically extract CRM data to enable downstream attacks including targeted phishing, SIM swapping, and further organizational compromise. CRM platforms targeted include Salesforce, Microsoft Dynamics 365, Zoho, Zendesk, and HubSpot. Real-world incidents include the 2022 US Cellular breach (threat actors accessed CRM billing system to export customer records), the 2021 Mint Mobile breach (unauthorized CRM access enabled SIM swapping), and a 2020 customer-owned bank breach exposing account balances and PII for 100,000 customers.

Microsoft Sentinel / Defender

kusto

let BulkThreshold = 50;
let ExportActionKeywords = dynamic(["Export", "BulkExport", "DataExport", "ReportDownload", "MassDownload", "Download", "ExportToFile", "ListViewExport", "BulkDownload"]);
let CRMApps = dynamic(["Salesforce", "Microsoft Dynamics CRM", "Zendesk", "HubSpot", "Zoho CRM", "ServiceNow"]);
CloudAppEvents
| where Timestamp > ago(24h)
| where AppName has_any (CRMApps)
| where ActionType has_any (ExportActionKeywords)
    or tolower(ActionType) contains "export"
    or tolower(ActionType) contains "bulk"
    or tolower(ActionType) contains "download"
| summarize
    TotalEvents = count(),
    ExportCount = countif(ActionType has_any (ExportActionKeywords)),
    ActionTypes = make_set(ActionType, 10),
    FirstActivity = min(Timestamp),
    LastActivity = max(Timestamp)
    by AccountDisplayName, AccountObjectId, AppName, IPAddress, CountryCode, ISP, bin(Timestamp, 1h)
| where TotalEvents >= BulkThreshold or ExportCount >= 3
| extend SessionDurationMin = datetime_diff('minute', LastActivity, FirstActivity)
| extend RatePerMinute = round(toreal(TotalEvents) / toreal(max_of(SessionDurationMin, 1)), 2)
| extend SeverityIndicator = case(
    ExportCount >= 5, "Critical - Repeated bulk exports detected",
    TotalEvents >= 200, "High - Volumetric CRM record access",
    ExportCount >= 1 and CountryCode !in ("US", "GB", "CA", "AU", "DE", "FR", "NL") and CountryCode != "", strcat("High - CRM export from unexpected country: ", CountryCode),
    ExportCount >= 1, "Medium - CRM data export event",
    "Medium - Elevated CRM access volume")
| project
    FirstActivity, LastActivity, AccountDisplayName, AccountObjectId,
    AppName, IPAddress, CountryCode, ISP,
    TotalEvents, ExportCount, ActionTypes,
    SessionDurationMin, RatePerMinute, SeverityIndicator
| sort by ExportCount desc, TotalEvents desc

high severity medium confidence

Data Sources

Application Log: Application Log Content Microsoft Defender for Cloud Apps (MDCA) App Connectors SaaS Platform Activity Logs

Required Tables

CloudAppEvents

False Positives

CRM data migration or integration projects that perform scheduled bulk exports via service accounts — typically identifiable by consistent schedule and service account names
Sales operations teams running legitimate pipeline reports, territory management exports, or executive dashboards — usually occur during business hours from corporate IP ranges
Marketing automation platforms (Pardot, Marketing Cloud, Marketo) that sync contact data on scheduled intervals using authorized OAuth integrations
Data backup and compliance tools (OwnBackup, Spanning, AvePoint) performing authorized CRM snapshots — identifiable by service account and consistent nightly schedule
Customer success teams bulk-exporting contacts for QBR preparation or authorized email campaign lists via approved Salesforce Data Loader or similar tools

Splunk

spl

index=salesforce (sourcetype="salesforce:logfile:Report" OR sourcetype="salesforce:logfile:BulkApi" OR sourcetype="salesforce:logfile:ApiTotalUsage" OR sourcetype="salesforce:logfile:ListView")
| eval action_category=case(
    sourcetype="salesforce:logfile:Report", "report_execution",
    sourcetype="salesforce:logfile:BulkApi", "bulk_api",
    sourcetype="salesforce:logfile:ListView", "list_view",
    1=1, "api_usage")
| eval user=coalesce(USER_ID_DERIVED, USER_ID, "unknown")
| eval source_ip=coalesce(CLIENT_IP, SOURCE_IP, "unknown")
| bin _time span=1h
| stats
    count as event_count,
    dc(ENTITY_NAME) as unique_object_types,
    sum(ROWS_PROCESSED) as total_records,
    values(action_category) as action_categories,
    values(ENTITY_NAME) as objects_accessed,
    values(source_ip) as source_ips,
    earliest(_time) as first_seen,
    latest(_time) as last_seen
    by user, _time
| eval session_duration_min=round((last_seen - first_seen) / 60, 1)
| eval rate_per_min=round(event_count / if(session_duration_min < 1, 1, session_duration_min), 2)
| eval risk_score=case(
    total_records >= 5000, 4,
    event_count >= 200 OR total_records >= 1000, 3,
    mvfind(action_categories, "bulk_api") >= 0 AND event_count >= 10, 2,
    event_count >= 50, 1,
    1=1, 0)
| where risk_score >= 1
| eval risk_label=case(
    risk_score >= 4, "Critical - Mass CRM data extraction",
    risk_score == 3, "High - Bulk CRM data export or volumetric access",
    risk_score == 2, "Medium - Elevated Bulk API usage",
    1=1, "Low - Above-baseline CRM activity")
| table first_seen, last_seen, user, action_categories, objects_accessed, source_ips, event_count, unique_object_types, total_records, session_duration_min, rate_per_min, risk_score, risk_label
| sort - risk_score event_count

high severity medium confidence

Data Sources

Application Log: Application Log Content Salesforce Event Monitoring Logs SaaS Platform Activity Logs

Required Sourcetypes

salesforce:logfile:Report salesforce:logfile:BulkApi salesforce:logfile:ApiTotalUsage salesforce:logfile:ListView

False Positives

CRM data migration or integration projects performing scheduled bulk exports via dedicated service accounts
Sales operations teams running legitimate pipeline analysis reports or territory management exports, typically during business hours
Marketing automation platforms (Pardot, Marketing Cloud, Marketo) syncing contact data via authorized Salesforce integrations with scheduled batch jobs
Data backup tools (OwnBackup, Spanning) performing authorized daily Salesforce snapshots using dedicated backup user accounts
Customer success or RevOps teams exporting data for QBR preparation or authorized bulk email campaigns using Salesforce Data Loader

IBM QRadar (AQL)

sql

SELECT
  USERNAME AS user,
  SOURCEIP AS source_ip,
  LOGSOURCENAME(logsourceid) AS crm_platform,
  LOGSOURCETYPENAME(logsourceid) AS log_source_type,
  COUNT(*) AS event_count,
  COUNT(DISTINCT QIDNAME(qid)) AS unique_action_types,
  SUM(CASE WHEN LOWER(QIDNAME(qid)) LIKE '%export%' THEN 1 ELSE 0 END) AS export_event_count,
  SUM(CASE WHEN LOWER(QIDNAME(qid)) LIKE '%bulk%' THEN 1 ELSE 0 END) AS bulk_event_count,
  DATEFORMAT(MIN(starttime), 'yyyy-MM-dd HH:mm:ss') AS first_activity,
  DATEFORMAT(MAX(starttime), 'yyyy-MM-dd HH:mm:ss') AS last_activity,
  (MAX(starttime) - MIN(starttime)) / 60 AS session_duration_min,
  COUNT(*) / NULLIF((MAX(starttime) - MIN(starttime)) / 60, 0) AS events_per_min,
  CASE
    WHEN SUM(CASE WHEN LOWER(QIDNAME(qid)) LIKE '%export%' THEN 1 ELSE 0 END) >= 5
      THEN 'Critical - Repeated bulk exports detected'
    WHEN COUNT(*) >= 200
      THEN 'High - Volumetric CRM record access'
    WHEN SUM(CASE WHEN LOWER(QIDNAME(qid)) LIKE '%export%' THEN 1 ELSE 0 END) >= 1
      THEN 'Medium - CRM data export event'
    ELSE 'Medium - Elevated CRM access volume'
  END AS severity_label
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) IN (
    'Salesforce Security Audit Trail',
    'Microsoft Dynamics 365',
    'Zendesk',
    'HubSpot CRM',
    'Zoho CRM',
    'ServiceNow'
  )
  AND (
    LOWER(QIDNAME(qid)) LIKE '%export%'
    OR LOWER(QIDNAME(qid)) LIKE '%bulk%'
    OR LOWER(QIDNAME(qid)) LIKE '%download%'
    OR LOWER(QIDNAME(qid)) LIKE '%report%'
    OR LOWER(QIDNAME(qid)) LIKE '%mass%'
  )
  AND USERNAME IS NOT NULL
  AND USERNAME != 'N/A'
GROUP BY
  USERNAME,
  SOURCEIP,
  LOGSOURCENAME(logsourceid),
  LOGSOURCETYPENAME(logsourceid),
  TRUNCATE(starttime, 'HOUR')
HAVING
  COUNT(*) >= 50
  OR SUM(CASE WHEN LOWER(QIDNAME(qid)) LIKE '%export%' THEN 1 ELSE 0 END) >= 3
ORDER BY
  export_event_count DESC, event_count DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Salesforce Security Audit Trail (QRadar DSM) Microsoft Dynamics 365 audit log (QRadar DSM) Zendesk audit log (QRadar Universal DSM) HubSpot CRM activity log (QRadar Universal DSM) Zoho CRM audit trail (QRadar Universal DSM) ServiceNow security audit log (QRadar DSM)

Required Tables

events

False Positives

Automated nightly data warehouse sync jobs using dedicated service accounts that perform bulk CRM exports to feed BI platforms such as Tableau, Power BI, or Looker — these typically generate high event counts from static, known IPs.
Third-party integration middleware platforms (MuleSoft, Boomi, Zapier) configured to poll CRM records at high frequency for downstream system synchronization; service account usernames are usually identifiable.
CRM administrators performing annual data hygiene exercises, GDPR/CCPA compliance audits, or mass record deduplication campaigns requiring large-scale exports and re-imports.
Revenue intelligence or forecasting tools (Clari, Gong, Chorus) accessing CRM APIs to pull deal and contact data for predictive modeling at elevated rates.

Sumo Logic CSE

sql

(_sourceCategory=salesforce OR _sourceCategory=dynamics365 OR _sourceCategory=zendesk OR _sourceCategory=hubspot OR _sourceCategory=zoho_crm OR _sourceCategory=servicenow)
| where action matches /(?i)export|bulk|download|report|mass/
| timeslice 1h
| stats
    count as event_count,
    dcount(action) as unique_actions,
    sum(rows_processed) as total_records,
    values(action) as action_list,
    first(src_ip) as source_ip,
    min(_messagetime) as first_seen_ms,
    max(_messagetime) as last_seen_ms
  by user, _timeslice, app_name
| where event_count >= 50 or total_records >= 1000
| eval session_duration_min = (last_seen_ms - first_seen_ms) / 60000
| eval rate_per_min = if(session_duration_min < 1, tolong(event_count), event_count / session_duration_min)
| eval risk_label = if(total_records >= 5000, "Critical - Mass CRM data extraction",
    if(event_count >= 200 or total_records >= 1000, "High - Bulk CRM data export or volumetric access",
    if(event_count >= 50, "Medium - Elevated CRM access volume", "Low - Above-baseline CRM activity")))
| fields _timeslice, user, app_name, source_ip, action_list, event_count, unique_actions, total_records, session_duration_min, rate_per_min, risk_label
| sort by -event_count

high severity medium confidence

Data Sources

Salesforce audit trail (Sumo Logic Salesforce App) Microsoft Dynamics 365 audit log Zendesk audit events HubSpot CRM activity stream Zoho CRM audit trail ServiceNow security audit log

Required Tables

_sourceCategory=salesforce _sourceCategory=dynamics365 _sourceCategory=zendesk _sourceCategory=hubspot _sourceCategory=zoho_crm _sourceCategory=servicenow

False Positives

Scheduled ETL pipelines or data integration services using service accounts that perform bulk CRM data extractions to populate data lakes or cloud warehouses on a nightly or weekly basis — identifiable by recurring time patterns and consistent source IPs.
Marketing operations teams generating segmented contact lists, campaign audience exports, or enrichment data pulls as part of normal demand generation workflows during product launch periods.
CRM data migration projects when consolidating CRM instances or switching vendors, requiring large-scale record exports over an extended period.
Customer success platforms (Gainsight, Totango, ChurnZero) synchronizing CRM contact and account records at elevated volume for health scoring and renewal pipeline tracking.

Google Chronicle / SecOps

yaral

rule t1213_004_crm_bulk_data_export {
  meta:
    author = "df00tech"
    description = "Detects bulk data exports or repeated export-type actions from CRM platforms indicating potential data mining activity (T1213.004 - Collection: CRM Software)"
    mitre_attack_technique = "T1213.004"
    mitre_attack_tactic = "Collection"
    severity = "HIGH"
    priority = "HIGH"
    platforms = "SaaS"
    created = "2026-04-19"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    (
      re.regex($e.target.application.name, `(?i)salesforce|microsoft dynamics|zendesk|hubspot|zoho crm|servicenow`) or
      re.regex($e.metadata.product_name, `(?i)salesforce|dynamics 365|zendesk|hubspot|zoho|servicenow`) or
      re.regex($e.metadata.vendor_name, `(?i)salesforce|microsoft|zendesk|hubspot|zoho|servicenow`)
    )
    (
      re.regex($e.metadata.event_subtype, `(?i)export|bulk_export|data_export|report_download|mass_download|bulk_download|list_view_export|export_to_file`) or
      re.regex($e.target.resource.name, `(?i)export|bulk|download|report`) or
      re.regex($e.security_result.description, `(?i)export|bulk|download|report`)
    )
    $e.principal.user.userid = $user
    $e.principal.ip = $ip

  match:
    $user, $ip over 1h

  condition:
    #e >= 3
}

high severity medium confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Salesforce audit trail ingested via Chronicle SIEM Salesforce parser Microsoft Dynamics 365 / Microsoft 365 Unified Audit Log via Chronicle O365 parser Zendesk, HubSpot, Zoho, and ServiceNow cloud audit logs via Chronicle universal parsers

Required Tables

USER_RESOURCE_ACCESS UDM event type

False Positives

CRM integration service accounts legitimately performing scheduled bulk exports for downstream analytics pipelines, data warehouse loads, or BI tool synchronization — typically appear as non-human principal usernames at consistent times.
Power users or sales operations analysts generating large account lists, opportunity exports, or contact record downloads during quarterly business review (QBR) or board reporting preparation.
Automated backup or compliance archival processes exporting CRM records to cloud storage on a scheduled basis for regulatory retention or disaster recovery purposes.
Revenue intelligence platforms (Outreach, SalesLoft, Apollo) making elevated-volume API calls to sync contact and activity data for engagement tracking and sequence automation.

CrowdStrike LogScale (CQL)

cql

// CRM Bulk Data Export — T1213.004
// Detects volumetric DNS queries to known CRM platform domains as an endpoint-side
// indicator of bulk API access or data extraction sessions.
// NOTE: This is an indirect/proxy indicator. Tune threshold to environment baseline.

#repo=base_sensor #event_simpleName=DnsRequest
| DomainName = /(?i)(\.(salesforce|force|my\.salesforce)\.com|dynamics\.com|\.zendesk\.com|\.hubspot\.com|\.hubapi\.com|zoho\.com|service-now\.com)/
| groupBy(
    [UserName, ComputerName, DomainName, aid],
    function=[
      count(as=dns_query_count),
      min(ContextTimeStamp, as=first_seen_epoch),
      max(ContextTimeStamp, as=last_seen_epoch)
    ],
    limit=max
  )
| where dns_query_count >= 50
| eval duration_min = (last_seen_epoch - first_seen_epoch) / 60000
| eval rate_per_min = round(dns_query_count / max(duration_min, 1), 2)
| eval first_seen = formatTime("%Y-%m-%dT%H:%M:%SZ", field=first_seen_epoch, timezone="UTC")
| eval last_seen = formatTime("%Y-%m-%dT%H:%M:%SZ", field=last_seen_epoch, timezone="UTC")
| eval severity = case(
    dns_query_count >= 500, "Critical - Mass CRM domain resolution",
    dns_query_count >= 200, "High - Elevated CRM API connection volume",
    dns_query_count >= 50,  "Medium - Above-baseline CRM DNS activity"
  )
| table [UserName, ComputerName, DomainName, dns_query_count, duration_min, rate_per_min, first_seen, last_seen, severity]
| sort(dns_query_count, order=desc)

medium severity low confidence

Data Sources

CrowdStrike Falcon Sensor endpoint telemetry (base_sensor repository) DnsRequest events from Falcon kernel-level DNS monitoring Optional: FileOpenInfo events for file creation correlation

Required Tables

#repo=base_sensor #event_simpleName=DnsRequest

False Positives

Web browsers or native CRM desktop clients (Salesforce Desktop, Dynamics 365 Unified Interface) generating high DNS query volumes during normal interactive use by sales professionals managing large contact lists or account hierarchies.
CRM synchronization agents or integration middleware installed on endpoint systems that poll CRM APIs continuously for offline sync, mobile app caching, or calendar/email integration.
CRM browser extensions (Salesforce Inbox, HubSpot Sales Extension, LinkedIn Sales Navigator) proactively resolving CRM domains during email composition or calendar scheduling, inflating DNS counts for normal users.
DevOps or QA engineers running integration tests, load tests, or API validation scripts against CRM sandbox environments from developer workstations.

Last updated: 2026-04-19 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1213.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1213Data from Information Repositories

Related Sub-techniques

T1213.001Confluence T1213.002Sharepoint T1213.003Code Repositories T1213.005Messaging Applications T1213.006Databases

Customer Relationship Management Software

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Collection

Popular Detections