title: Customer Relationship Management Software (T1213.004)
id: df00tech-t1213-004
status: experimental
description: "Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data including personally identifiable information (PII) such as full names, emails, phone numbers, addresses, purchase histories, and IT support interactions. Once adversaries gain access to a victim organization — through credential theft, insider threat, or compromised integrations — they may systematically extract CRM data to enable downstream attacks including targeted phishing, SIM swapping, and further organizational compromise. CRM platforms targeted include Salesforce, Microsoft Dynamics 365, Zoho, Zendesk, and HubSpot. Real-world incidents include the 2022 US Cellular breach (threat actors accessed CRM billing system to export customer records), the 2021 Mint Mobile breach (unauthorized CRM access enabled SIM swapping), and a 2020 customer-owned bank breach exposing account balances and PII for 100,000 customers."
references:
  - https://attack.mitre.org/techniques/T1213/004/
  - https://df00tech.com/detections/T1213.004
author: df00tech
date: 2026/04/19
tags:
  - attack.t1213.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - CRM data migration or integration projects that perform scheduled bulk exports via service accounts — typically identifiable by consistent schedule and service account names
  - "Sales operations teams running legitimate pipeline reports, territory management exports, or executive dashboards — usually occur during business hours from corporate IP ranges"
  - "Marketing automation platforms (Pardot, Marketing Cloud, Marketo) that sync contact data on scheduled intervals using authorized OAuth integrations"
  - "Data backup and compliance tools (OwnBackup, Spanning, AvePoint) performing authorized CRM snapshots — identifiable by service account and consistent nightly schedule"
  - Customer success teams bulk-exporting contacts for QBR preparation or authorized email campaign lists via approved Salesforce Data Loader or similar tools
level: high