HowTo: Fix False Opens and Clicks in AttackPhish Reports

HowTo: Fix False Opens and Clicks in AttackPhish Reports

Why Does My AttackPhish Report Show Users Opening and Clicking Emails They Never Saw?

Overview

If you’re seeing users listed as having opened and clicked phishing emails within seconds, or even before they could have possibly opened them, don’t worry. Your users aren’t lying, and nothing is broken. What you’re seeing is a byproduct of modern email security tools doing their job.

What’s Happening

Many email security solutions such as Microsoft Defender for Office 365, Barracuda, Mimecast, and Proofpoint include features like Safe Links, URL Protection, or Link Scanning.
When a simulated phishing email from CyberHoot’s AttackPhish module arrives, these systems automatically:
  1. Open the message in a secure sandbox to inspect its contents.
  2. “Click” every link in the email to verify it’s safe before delivering it to the user’s inbox.
These automated scans trigger the same tracking mechanisms CyberHoot uses to record legitimate user activity. The result is that your report may show:
  1. The email was opened seconds after delivery.
  2. A link was “clicked” within the same minute.
  3. Multiple users showing identical timestamps.

Why This Happens

  1. Automated link scanners mimic user clicks.
  2. Security gateways follow embedded URLs to check for malicious redirects.
  3. Tracking pixels are loaded during this process, falsely marking messages as opened.
In short, your security system (not your user) is the one “clicking.”

How to Fix It

To ensure your AttackPhish reports accurately reflect real user behavior, you’ll need to allow CyberHoot’s phishing simulations to pass through your email filters without sandbox inspection.
Follow the guide below for M365:

For the list of CyberHoot's IP addresses and domain names needed to set up the allow-listing and to help you with other technologies, please check this page:

Summary

False “opens” and “clicks” in AttackPhish reports are almost always caused by link-scanning technologies doing what they’re designed to do: protect your users. Once CyberHoot’s domains or headers are allow-listed, you’ll see accurate results that reflect genuine user behavior.

    • Related Articles

    • HowTo: Allow-List CyberHoot’s AttackPhish Simulation Servers in M365

      Detailed Instructions From Microsoft: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/skip-filtering-phishing-simulations-sec-ops-mailboxes?view=o365-worldwide Once you click the link above, follow the instructions under ...

    • HowTo: Understand CyberHoot AttackPhish Field Definitions and Training Workflow

      This document explains how CyberHoot AttackPhish populates the various tracking fields when running phishing simulations. It defines the user actions that trigger each status and describes when additional training is assigned. Field Definitions Email ...

    • HowTo: Fix ‘My Assignment’ Link Issues (Looping)

      Are your users having issues with an endless looping with authentication emails after trying to reach your ‘My Assignments’ page on CyberHoot? One common factor that causes these issues are link filtering/authentication or protection services from ...

    • HowTo: Allow-List in Barracuda

      If you’re utilizing Barracuda’s Email Security Gateway, you can white-list CyberHoot IP Addresses and Domain Name to allow our simulated phishing test emails and training notifications to get through to your end-user’s inboxes. Please see this ...

    • HowTo: Allow-List CyberHoot’s Domain Name and IP Addresses – Google Workspace

      New CyberHoot businesses need to allow our training and phishing emails to reach their user’s inboxes directly. This article describes the two steps needed to make this happen. Note: If you wish to create an allow-list just for yourself personally ...