San Francisco Exploratorium Museum

The San Francisco Exploratorium Museum was the target of a sophisticated spear-phishing attack in early September 2016. The incident commenced when an employee was deceived into submitting their email credentials to a fraudulent login page, resulting in the immediate compromise of their corporate account. Following initial access, the attacker maintained surveillance on the victim's communications for a three-day period, monitoring internal email traffic to gather contextual information. The adversary then methodically deleted the compromised account's contact list, configured email forwarding to route incoming messages directly to the trash folder, and launched a secondary phishing campaign. This campaign involved distributing carefully crafted, seemingly legitimate emails to the victim's colleagues, leveraging the trusted sender address to increase credibility. These follow-up emails contained malicious links designed to harvest credentials from additional staff members, and the tactic proved effective as several colleagues subsequently submitted their own login details to the counterfeit page. The phishing emails were disseminated broadly, ultimately enticing more than fifty museum employees to click the embedded malicious link.

The security breach was detected after observant staff identified a misspelled document title within the phishing emails, triggering internal security alerts and formal notifications. In response, the museum's administration promptly mandated password resets for all potentially affected accounts to contain the incident. Despite these immediate corrective actions, the organization's email systems endured repeated, unauthorized login attempts in the weeks that followed, demonstrating the attacker's persistent interest in the museum's network. The scale of the initial compromise, with over half of the staff interacting with the phishing link, revealed a significant vulnerability in employee awareness and email filtering protocols. The incident necessitated sustained monitoring and the reinforcement of cybersecurity measures to deter further intrusion attempts, as the malicious actor continued to probe the museum's defenses long after the initial compromise was discovered and addressed.