Question

Why do I see click or multi-click events from the IP ranges owned by Microsoft in my Phishing campaign?

Answer

The number one reason we see system clicks comes down to incomplete safelisting. Microsoft Threat Protection and Microsoft ATP have many components and they could impact your Phishing campaigns. If you notice a lot of click events from IPs in the ranges included below you will need to revisit your safelisting.

To prevent these interactions, ensure the below recommendations are fulfilled:

• Have your Exchange administrator create two mail flow rules to allow emails sent from our mail gateways to bypass ATP

For more information visit  Bypass Microsoft ATP Link Processing  and Bypass Microsoft ATP Attachment Processing  for more information.

• Another scenario resulting in Microsoft IPs detonating your Phishing Campaigns is when users report the email using the Mark as Phish or Mark as Spam option

This is a Microsoft reporting button that can be disabled if needed

Note: Using this 3rd party button to report will cause the detonations of the Phishing Campaign

See False Positives Reporting Phish Directly to Microsoft  for more information

• Configure Microsoft Advanced Delivery for Phishing Simulations

You can see all of Microsoft's IPs here: https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide