Get Started Book a Demo

HowTo: Fix False Opens and Clicks in AttackPhish Reports

10th November 2025 | HowTo, MSP, Platform, Technology HowTo: Fix False Opens and Clicks in AttackPhish Reports

Why Does My AttackPhish Report Show Users Opening and Clicking Emails They Never Saw?

Overview

​If you’re seeing users listed as having opened and clicked phishing emails within seconds, or even before they could have possibly opened them, don’t worry. Your users aren’t lying, and nothing is broken. What you’re seeing is a byproduct of modern email security tools doing their job.

What’s Happening

Many email security solutions such as Microsoft Defender for Office 365BarracudaMimecast, and Proofpoint include features like Safe LinksURL Protection, or Link Scanning.

When a simulated phishing email from CyberHoot’s AttackPhish module arrives, these systems automatically:

  1. Open the message in a secure sandbox to inspect its contents.
  2. “Click” every link in the email to verify it’s safe before delivering it to the user’s inbox.

These automated scans trigger the same tracking mechanisms CyberHoot uses to record legitimate user activity. The result is that your report may show:

  • The email was opened seconds after delivery.
  • A link was “clicked” within the same minute.
  • Multiple users showing identical timestamps.

Why This Happens

  • Automated link scanners mimic user clicks.
  • Security gateways follow embedded URLs to check for malicious redirects.
  • Tracking pixels are loaded during this process, falsely marking messages as opened.

In short, your security system (not your user) is the one “clicking.”

How to Fix It

To ensure your AttackPhish reports accurately reflect real user behavior, you’ll need to allow CyberHoot’s phishing simulations to pass through your email filters without sandbox inspection.

Follow the guide below for M365:

[Guide: HowTo – Allow-List by X-Header in Exchange 2013/2016 or Microsoft 365]

For the list of CyberHoot’s IP addresses and domain names needed to set up the allow-listing and to help you with other technologies, please check this page:

https://cyberhoot.com/howto/cyberhoots-email-ip-addresses-and-hostnames/

Summary

False “opens” and “clicks” in AttackPhish reports are almost always caused by link-scanning technologies doing what they’re designed to do: protect your users. Once CyberHoot’s domains or headers are allow-listed, you’ll see accurate results that reflect genuine user behavior.

Latest Blogs

Stay sharp with the latest security insights

Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.

Zero Trust RPAM: The Future of Secure Remote Access
2nd December 2025 | Blog

Zero Trust RPAM: The Future of Secure Remote Access

The world of work has changed enormously since COVID-19. Gone are the days when IT admins sat behind a corporate...

Read more
Microsoft Integrates Passkeys into Windows: is this the start of a Passwordless Future?
11th November 2025 | Blog

Microsoft Integrates Passkeys into Windows: is this the start of a Passwordless Future?

Let’s be honest, who hasn’t reset a password at least once this month? For decades, passwords have been our...

Read more
When You Become the Hacker: How Modern Attacks Trick You Into Hacking Yourself
4th November 2025 | Blog

When You Become the Hacker: How Modern Attacks Trick You Into Hacking Yourself

In a shift away from the usual “hack-meets-victim” narrative, a new kind of cyber-assault is emerging. One...

Read more
Get Started All Posts