All articles
PhishingCybersecurityCase StudySecurity AwarenessMicrosoft Defender

Case Study: Strengthening Phishing Resilience for a Nonprofit Organization

Regroove IT Consulting6 min read710 words

Security awareness training is most effective when it is grounded in real data about how your team actually behaves. This case study describes how we helped a mission-driven nonprofit understand their phishing risk and build a more resilient workforce through structured attack simulation.

Background and Challenge

The organization had a distributed workforce and had experienced multiple phishing emails targeting staff. While none resulted in a confirmed breach, leadership recognized that reacting after the fact was not a sustainable approach. They wanted to understand where their vulnerabilities actually were and put a proactive program in place.

After discussing the options, the team agreed to implement a structured phishing simulation program to measure real user behavior and use that data to strengthen security awareness.

Approach and Implementation

We worked with the organization to design two distinct phishing simulations that reflected realistic attack scenarios:

  • Email A: A phishing message from an external sender, mimicking a common delivery or account notification.
  • Email B: An advanced attempt impersonating organizational leadership, designed to test susceptibility to social engineering.

The simulations included only human user accounts with Microsoft Defender for Office Plan 2 enabled. Shared mailboxes and service accounts were excluded to ensure clean, meaningful results.

The campaign ran for 25 days, tracking opens, link clicks, credential submissions, reporting actions, forwarding, and deletions.

Results and Key Findings

The two simulations produced notably different outcomes, which was itself an important insight.

Email A (External Sender):

  • Click rate: 12.5%
  • Credential compromises: 0
  • Reporting rate: 18.75%

Email B (Leadership Impersonation):

  • Credential compromise rate: 22.22%
  • Faster time-to-click compared to Email A
  • Two instances of the email being forwarded to other staff

The leadership impersonation scenario posed significantly higher risk. Users who hesitated on a generic external email were much more likely to act quickly when the message appeared to come from someone inside the organization in a position of authority. This is consistent with how real spear-phishing attacks operate.

Recommendations

Based on the results, we provided the following recommendations to the organization:

  • Have all staff complete the assigned security awareness training modules, with priority given to users who clicked or submitted credentials.
  • Reinforce the habit of verifying sender addresses and domains, especially for messages that appear to come from leadership.
  • Recognize and acknowledge users who correctly reported the simulated phishing emails, reinforcing that behavior.
  • Conduct follow-up simulations with different pretexts, including variations that test responses across different times of year and different urgency levels.
  • Implement clear protocols around email forwarding, particularly for messages that involve unusual requests or urgent instructions.
  • Reinforce the practice of hovering over links before clicking to verify destinations.

Outcome

The engagement gave the organization something more valuable than a general training program: real data about how their specific team responds to different types of attacks. That data shaped a targeted training and awareness plan built around their actual vulnerabilities rather than generic risk assumptions.

Security awareness is not a one-time event. This organization now has a repeatable framework for measuring and improving their resilience over time. If your organization wants to understand where it stands before an attacker does, we can help you design and run a program like this one.

Regroove IT Consulting

Microsoft Solutions Partner specializing in Managed IT Services and Modern Work, covering Microsoft 365, Teams, SharePoint, Power Platform, and Azure. Helping organizations everywhere get lasting value from their Microsoft investment since 1993.

About Regroove →

Need help with your Microsoft environment?

We work with organizations everywhere. Tell us where you are and what you're trying to solve.

Talk to Regroove