I've been running phishing simulations for a while now without any issues, but I've noticed a real uptick in false positive click events recently, particularly from Microsoft IP addresses. These clicks aren't being initiated by users; they happen within a minute after the emails are delivered. It's puzzling because I've got Advanced Delivery fully configured with whitelisted sending domains, added sending IPs, simulation URLs, and tenant allow/block lists as part of the Threat Policies.
Despite all this setup, the false positives keep coming. Has anyone else experienced a similar problem with their Security Awareness Training platforms? Could this be related to any changes Microsoft made to Safe Links or something in the Defender pipeline around December? I've found that injecting emails directly into inboxes using graph APIs helps reduce the false positives, but that isn't always a viable option. I'd really appreciate any insights or shared experiences!
2 Answers
From what I know, bots are often the ones clicking links to validate their safety. It could be that the system sees these automated clicks and registers them as real events. It's definitely frustrating!
I don't have any specific insights on Safe Links, but it might help to configure your spam filter to avoid checking certain links. You usually can set it up so it won't trigger on specific URLs. That could cut down on the false positives.
Your spam filter should hopefully have an option to exclude certain URLs or domains from inspection. It could make a big difference!