Detect Customer Relationship Management Software in CrowdStrike LogScale
Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data including personally identifiable information (PII) such as full names, emails, phone numbers, addresses, purchase histories, and IT support interactions. Once adversaries gain access to a victim organization — through credential theft, insider threat, or compromised integrations — they may systematically extract CRM data to enable downstream attacks including targeted phishing, SIM swapping, and further organizational compromise. CRM platforms targeted include Salesforce, Microsoft Dynamics 365, Zoho, Zendesk, and HubSpot. Real-world incidents include the 2022 US Cellular breach (threat actors accessed CRM billing system to export customer records), the 2021 Mint Mobile breach (unauthorized CRM access enabled SIM swapping), and a 2020 customer-owned bank breach exposing account balances and PII for 100,000 customers.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.004 Customer Relationship Management Software
- Canonical reference
- https://attack.mitre.org/techniques/T1213/004/
LogScale Detection Query
// CRM Bulk Data Export — T1213.004
// Detects volumetric DNS queries to known CRM platform domains as an endpoint-side
// indicator of bulk API access or data extraction sessions.
// NOTE: This is an indirect/proxy indicator. Tune threshold to environment baseline.
#repo=base_sensor #event_simpleName=DnsRequest
| DomainName = /(?i)(\.(salesforce|force|my\.salesforce)\.com|dynamics\.com|\.zendesk\.com|\.hubspot\.com|\.hubapi\.com|zoho\.com|service-now\.com)/
| groupBy(
[UserName, ComputerName, DomainName, aid],
function=[
count(as=dns_query_count),
min(ContextTimeStamp, as=first_seen_epoch),
max(ContextTimeStamp, as=last_seen_epoch)
],
limit=max
)
| where dns_query_count >= 50
| eval duration_min = (last_seen_epoch - first_seen_epoch) / 60000
| eval rate_per_min = round(dns_query_count / max(duration_min, 1), 2)
| eval first_seen = formatTime("%Y-%m-%dT%H:%M:%SZ", field=first_seen_epoch, timezone="UTC")
| eval last_seen = formatTime("%Y-%m-%dT%H:%M:%SZ", field=last_seen_epoch, timezone="UTC")
| eval severity = case(
dns_query_count >= 500, "Critical - Mass CRM domain resolution",
dns_query_count >= 200, "High - Elevated CRM API connection volume",
dns_query_count >= 50, "Medium - Above-baseline CRM DNS activity"
)
| table [UserName, ComputerName, DomainName, dns_query_count, duration_min, rate_per_min, first_seen, last_seen, severity]
| sort(dns_query_count, order=desc)CrowdStrike LogScale CQL query detecting volumetric DNS resolution to known CRM platform domains (Salesforce, Dynamics, Zendesk, HubSpot, Zoho, ServiceNow) as an endpoint-side proxy indicator for bulk data access or export sessions. Aggregates DnsRequest events per user, host, and CRM domain, applying tiered severity thresholds. This is an indirect detection pattern suitable for environments where CRM application audit logs are not available in the SIEM. Pair with FileOpenInfo events for CSV/XLSX file creation to increase fidelity. Maps to T1213.004.
Data Sources
Required Tables
False Positives & Tuning
- Web browsers or native CRM desktop clients (Salesforce Desktop, Dynamics 365 Unified Interface) generating high DNS query volumes during normal interactive use by sales professionals managing large contact lists or account hierarchies.
- CRM synchronization agents or integration middleware installed on endpoint systems that poll CRM APIs continuously for offline sync, mobile app caching, or calendar/email integration.
- CRM browser extensions (Salesforce Inbox, HubSpot Sales Extension, LinkedIn Sales Navigator) proactively resolving CRM domains during email composition or calendar scheduling, inflating DNS counts for normal users.
- DevOps or QA engineers running integration tests, load tests, or API validation scripts against CRM sandbox environments from developer workstations.
Other platforms for T1213.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Salesforce Bulk Contact Export via REST API (Python simple-salesforce)
Expected signal: Salesforce Event Monitoring ApiTotalUsage log entry: USER_ID_DERIVED=[user], CLIENT_IP=[test IP], ENTITY_NAME=Contact, ROWS_PROCESSED=500. If Event Monitoring BulkApi type is enabled: additional BulkApi log entry. Salesforce Login History: API login event with LOGIN_TYPE=API and source IP. CloudAppEvents (if MDCA App Connector configured): AppName=Salesforce, ActionType reflecting query activity, AccountDisplayName=[user].
- Test 2Microsoft Dynamics 365 Bulk Contact Retrieve via Dataverse Web API
Expected signal: Azure AD Sign-In Logs (SigninLogs): service principal authentication event for the registered app, ResourceDisplayName=Dynamics CRM or Dataverse, with ClientAppUsed=None (service-to-service). AAD Audit Logs: no separate entry per API call, but token issuance is logged. Microsoft 365 Unified Audit Log: OfficeActivity table, RecordType=DynamicsCRM, Operation=RetrieveMultipleRecords. CloudAppEvents (MDCA): AppName=Microsoft Dynamics CRM with read/query ActionType.
- Test 3Salesforce Report-Based Customer Data Extraction via Reports REST API
Expected signal: Salesforce Event Monitoring Report log entry (salesforce:logfile:Report): USER_ID_DERIVED=[user], CLIENT_IP=[IP], REPORT_ID=[id], ROWS_PROCESSED=[n], RENDER_FORMAT=API. The RENDER_FORMAT=API value specifically distinguishes programmatic report execution from browser-based access, which is a key adversary indicator. Salesforce Login History: API login event correlated by timestamp.
- Test 4Zendesk Bulk Customer User and Ticket Export via REST API
Expected signal: Zendesk Admin Security Log: API access entries with endpoint /api/v2/users.json and /api/v2/tickets.json, authenticated admin email, source IP, and timestamp. Zendesk Audit Events API (/api/v2/audit_logs.json): entries with resource_type=user, action=view for each record accessed, plus ticket view events. CloudAppEvents (if MDCA App Connector for Zendesk is configured): AppName=Zendesk with ActionType reflecting read/list operations and high EventCount.
References (11)
- https://attack.mitre.org/techniques/T1213/004/
- https://www.bleepingcomputer.com/news/security/uscellular-discloses-data-breach-after-billing-system-hack/
- https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/
- https://www.bleepingcomputer.com/news/security/customer-owned-bank-informs-100k-of-breach-exposing-account-balance-pii/
- https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/intro_what_is_rest_api.htm
- https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/using_resources_event_log_files.htm
- https://learn.microsoft.com/en-us/power-apps/developer/data-platform/webapi/overview
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-cloudappevents-table
- https://learn.microsoft.com/en-us/defender-cloud-apps/connect-salesforce
- https://developer.zendesk.com/api-reference/ticketing/ticket-management/audit_logs/
- https://learn.microsoft.com/en-us/defender-cloud-apps/tutorial-suspicious-activity
Unlock Pro Content
Get the full detection package for T1213.004 including response playbook, investigation guide, and atomic red team tests.