← Case Studies

International NGO — Tanzania Chapter (identity withheld)

International NGO Reduces Phishing Click Rate from 34% to 6%

Duration: 8 weeks initial engagement, ongoing quarterly training
Cloud Security Posture Assessment Security Awareness Training Incident Response Readiness

Challenge

No security baseline, staff using personal Gmail for donor communications, no MFA, and two recent phishing incidents.

Outcome

Microsoft 365 tenant hardened, MFA enforced across all staff, phishing simulation click rate fell from 34% to 6% over two quarters, incident response plan in place.

The Situation

The Tanzania chapter of an international NGO approached us following two phishing incidents within four months. In the first incident, a programme coordinator’s email account was compromised after clicking a fake Microsoft 365 sign-in page. The attacker used the account to send fraudulent emails to donors requesting bank transfer changes. In the second, a staff member clicked a phishing link that installed a credential-harvesting browser extension.

Neither incident resulted in confirmed financial loss, but the reputational risk was significant — donor trust is foundational to NGO operations, and the prospect of a donor receiving a fraudulent payment request from a compromised staff email was a serious concern for leadership.

At the time of engagement, the organisation had 34 staff across two Tanzania offices. Staff were using a mix of personal Gmail accounts and a Microsoft 365 tenancy that had been deployed 18 months earlier without any security configuration review. There was no MFA, no formal security policies, and no incident response plan.

What We Found

The Microsoft 365 assessment surfaced a configuration that had been set up for convenience, not security:

  • No MFA on any account, including the Global Administrator account
  • Legacy authentication protocols enabled — the same vector used in both incidents
  • External sharing unrestricted, with several SharePoint documents shared to “anyone with the link”
  • No DMARC record on their primary domain, meaning their domain could be spoofed trivially
  • Audit logging disabled — no forensic record existed of what the attacker had accessed during the first incident
  • Two former staff members’ accounts were still active

We also ran a baseline phishing simulation as part of the awareness training onboarding. The campaign sent 34 staff a simulated Microsoft 365 credential request. Eleven staff clicked the link — a 34% click rate, consistent with organisations with no prior security awareness training.

What We Delivered

Cloud Security Posture Assessment + remediation

We produced a prioritised remediation roadmap and worked through the critical and high findings with the organisation’s IT contact. Key remediation actions:

  • Conditional Access policies enforcing MFA across all accounts
  • Legacy authentication blocked — this directly addressed the attack vector used in both incidents
  • DMARC configured with enforcement policy
  • Audit logging enabled and retention extended
  • Former staff accounts deactivated
  • External sharing restricted to authenticated external users only

Security Awareness Training — Quarters 1 and 2

We designed the quarterly phishing simulations around lures relevant to NGO staff: fake donor portal notifications, fake UN system login pages, and fake BoT regulatory notices. Module content was tailored to the Tanzania context and delivered in English with key concepts translated for Swahili-speaking staff.

Quarter 1 simulation result: 34% click rate (baseline). Quarter 2 simulation result: 11% click rate. End of Quarter 2 overall rate (combining both simulations): 6% sustained click rate across staff who had completed both training cycles.

The reduction reflects genuine behaviour change — staff reported suspicious emails to management, something that had not happened before the programme began.

Incident Response Readiness

We developed a complete incident response plan and four role-specific playbooks (executive, IT/operations, communications, programme management). The tabletop exercise used a Business Email Compromise scenario — directly relevant given the first incident — with a secondary scenario covering a compromised donor communication account.

The exercise surfaced two significant gaps: the escalation path to the global parent organisation was unclear, and the communications team did not know they had a role in incident response. Both were addressed in the improvement roadmap.

The Outcome

Six months after the initial engagement, the organisation’s Microsoft 365 environment was hardened against the attack vectors that had caused both incidents. Staff awareness had measurably improved. An incident response plan existed and had been tested.

The improvement roadmap from the tabletop exercise was used as the basis for a quarterly retainer that continues — covering ongoing phishing simulations, annual plan review, and security oversight for new projects that involve donor data.

What Made the Difference

The two phishing incidents that preceded the engagement were the catalyst — but the real driver of sustained improvement was leadership commitment. The country director participated personally in the tabletop exercise and made security awareness training mandatory for all staff. That organisational signal — that this matters, and leadership takes it seriously — correlates strongly with how quickly click rates fall in phishing simulations.

Technical controls alone do not produce a 34% to 6% reduction in click rates. The combination of hardened technology, training that is contextually relevant, and visible leadership commitment does.

Facing a similar challenge?

Book a free 30-minute discovery call. We'll give you an honest assessment of your situation and what a structured engagement would look like.

Book a free call View all case studies