Get Started Book a Demo

HowTo: Fix False Opens and Clicks in AttackPhish Reports

10th November 2025 | HowTo, MSP, Platform, Technology HowTo: Fix False Opens and Clicks in AttackPhish Reports

Why Does My AttackPhish Report Show Users Opening and Clicking Emails They Never Saw?

Overview

​If you’re seeing users listed as having opened and clicked phishing emails within seconds, or even before they could have possibly opened them, don’t worry. Your users aren’t lying, and nothing is broken. What you’re seeing is a byproduct of modern email security tools doing their job.

What’s Happening

Many email security solutions such as Microsoft Defender for Office 365BarracudaMimecast, and Proofpoint include features like Safe LinksURL Protection, or Link Scanning.

When a simulated phishing email from CyberHoot’s AttackPhish module arrives, these systems automatically:

  1. Open the message in a secure sandbox to inspect its contents.
  2. “Click” every link in the email to verify it’s safe before delivering it to the user’s inbox.

These automated scans trigger the same tracking mechanisms CyberHoot uses to record legitimate user activity. The result is that your report may show:

  • The email was opened seconds after delivery.
  • A link was “clicked” within the same minute.
  • Multiple users showing identical timestamps.

Why This Happens

  • Automated link scanners mimic user clicks.
  • Security gateways follow embedded URLs to check for malicious redirects.
  • Tracking pixels are loaded during this process, falsely marking messages as opened.

In short, your security system (not your user) is the one “clicking.”

How to Fix It

To ensure your AttackPhish reports accurately reflect real user behavior, you’ll need to allow CyberHoot’s phishing simulations to pass through your email filters without sandbox inspection.

Follow the guide below for M365:

[Guide: HowTo – Allow-List by X-Header in Exchange 2013/2016 or Microsoft 365]

For the list of CyberHoot’s IP addresses and domain names needed to set up the allow-listing and to help you with other technologies, please check this page:

https://cyberhoot.com/howto/cyberhoots-email-ip-addresses-and-hostnames/

Summary

False “opens” and “clicks” in AttackPhish reports are almost always caused by link-scanning technologies doing what they’re designed to do: protect your users. Once CyberHoot’s domains or headers are allow-listed, you’ll see accurate results that reflect genuine user behavior.

Latest Blogs

Stay sharp with the latest security insights

Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.

QR Codes Are Back (They Still Want Your Password)
13th January 2026 | Blog

QR Codes Are Back (They Still Want Your Password)

Remember 2020? We scanned QR codes for everything. Restaurant menus. Parking meters. That awkward moment at a...

Read more
AI-Powered Phishing Kits Are Game-Changing, In a Very Bad Way
6th January 2026 | Blog

AI-Powered Phishing Kits Are Game-Changing, In a Very Bad Way

Phishing emails used to be easy to spot. Bad grammar. Weird links. Obvious scams. Those days are...

Read more
AI Poisoning: Fake Support Scam — AI Search as the New Attack Surface
16th December 2025 | Blog

AI Poisoning: Fake Support Scam — AI Search as the New Attack Surface

Cybercriminals always follow Internet eyeballs. Not literally, but figuratively. And today's eyeballs are...

Read more
Get Started All Posts