HowTo: Fix False Opens and Clicks in AttackPhish Reports

Posted on

Why Does My AttackPhish Report Show Users Opening and Clicking Emails They Never Saw?

Overview

​If you’re seeing users listed as having opened and clicked phishing emails within seconds, or even before they could have possibly opened them, don’t worry. Your users aren’t lying, and nothing is broken. What you’re seeing is a byproduct of modern email security tools doing their job.

What’s Happening

Many email security solutions such as Microsoft Defender for Office 365BarracudaMimecast, and Proofpoint include features like Safe LinksURL Protection, or Link Scanning.

When a simulated phishing email from CyberHoot’s AttackPhish module arrives, these systems automatically:

  1. Open the message in a secure sandbox to inspect its contents.
  2. “Click” every link in the email to verify it’s safe before delivering it to the user’s inbox.

These automated scans trigger the same tracking mechanisms CyberHoot uses to record legitimate user activity. The result is that your report may show:

  • The email was opened seconds after delivery.
  • A link was “clicked” within the same minute.
  • Multiple users showing identical timestamps.

Why This Happens

  • Automated link scanners mimic user clicks.
  • Security gateways follow embedded URLs to check for malicious redirects.
  • Tracking pixels are loaded during this process, falsely marking messages as opened.

In short, your security system (not your user) is the one “clicking.”

How to Fix It

To ensure your AttackPhish reports accurately reflect real user behavior, you’ll need to allow CyberHoot’s phishing simulations to pass through your email filters without sandbox inspection.

Follow the guide below for M365:

[Guide: HowTo – Allow-List by X-Header in Exchange 2013/2016 or Microsoft 365]

For the list of CyberHoot’s IP addresses and domain names needed to set up the allow-listing and to help you with other technologies, please check this page:

https://cyberhoot.com/howto/cyberhoots-email-ip-addresses-and-hostnames/

Summary

False “opens” and “clicks” in AttackPhish reports are almost always caused by link-scanning technologies doing what they’re designed to do: protect your users. Once CyberHoot’s domains or headers are allow-listed, you’ll see accurate results that reflect genuine user behavior.

The post HowTo: Fix False Opens and Clicks in AttackPhish Reports appeared first on CyberHoot.

Related Posts