Fake Salesforce CRM org suspended, Sales Cloud licenses no longer active, users locked out, or subscription payment failed phishing — impersonates Salesforce to harvest credentials granting full CRM and pipeline access

Phishing emails impersonating Salesforce claiming the CRM org has been suspended, Sales Cloud licenses are no longer active, users are locked out, or the subscription payment has failed — directing victims to update billing through a credential-harvesting portal. An extremely high-value attack category because Salesforce is the world's dominant enterprise CRM and the system of record for revenue operations at 150,000+ organizations: a Salesforce org suspension creates a company-wide revenue visibility blackout. Key facts: (1) Salesforce serves 150,000+ customers across 150+ countries ($25-$300/user/month Sales Cloud Essentials-Unlimited, $300,000-$3,000,000+/year Enterprise contracts) as the CRM platform for revenue operations — a 'Salesforce org suspended due to billing failure' email implies all sales reps lose access to every prospect record, every opportunity in the pipeline, every account history, and every contact; for a 50-person sales team, this is equivalent to every salesperson being locked out of their office and all their files simultaneously; (2) The org suspension hook targets the Salesforce Admin as the decision-maker: Salesforce Admins manage billing and receive platform notifications; they are also the most aware of the consequences of an org suspension (all users locked out instantly) and therefore most likely to act without verifying sender domain; (3) Salesforce's quarterly business review (QBR) timing creates maximum urgency: Salesforce orgs are most critical the week before each quarter ends when sales leadership is reviewing pipeline and pushing deals to close — a 'licenses no longer active' email timed to arrive during Q1/Q2/Q3/Q4 close week creates extreme time pressure; (4) Salesforce credentials expose the most valuable enterprise intelligence: every sales opportunity and its deal value, stage, and close probability; every customer and prospect account including annual contract values and renewal dates; every contact's role, seniority, and relationship to the organization; all sales forecast data; all Salesforce Flow automation revealing the company's sales process; and OAuth tokens for Slack, Outlook, Google Workspace, DocuSign, Marketo, and Pardot integrations — a single Salesforce credential compromise grants access to every commercial relationship the company has; (5) Salesforce's role as the single source of truth for revenue means a credential compromise enables targeted business email compromise: an attacker with Salesforce access knows exactly which prospects are near the close, which executives are involved, and what objections were raised — enabling highly targeted CEO fraud and vendor payment redirect attacks with perfect context. Warning signs: sender not salesforce.com or force.com; genuine Salesforce billing at salesforce.com/billing; Salesforce org admins at setup.salesforce.com/products.