On Apr. 7, 2011, five days before Microsoft patched a critical zero-day vulnerability in Internet Explorer that had been publicly disclosed three months earlier on a security mailing list, unknown attackers launched a spear-phishing attack against workers at the Oak Ridge National Laboratory in Tennessee.

The lab, which is funded by the U.S. Department of Energy, conducts classified and unclassified energy and national security work for the federal government.

The e-mail, purporting to come from the lab’s human resources department, went to about 530 workers, or 11 percent of the lab’s workforce.

The cleverly crafted missive included a link to a malicious webpage, where workers could get information about employee benefits. But instead of getting facts about a health plan or retirement fund, workers who visited the site using Internet Explorer got bit with malicious code that downloaded silently to their machines.