Why are we seeing automatic opens and clicks on Office 365 hosted recipient domains?

Key findings

• Security Pre-scanning: Office 365 utilizes features like Safe Links and Safe Attachments within Microsoft Defender to proactively scan email content for threats. This involves a sandboxed environment opening emails and clicking links to analyze their safety.
• Impact on Metrics: These automated interactions inflate open rates and click-through rates, making it challenging for senders to gauge genuine subscriber engagement. It's crucial to identify and filter out such artificial engagement.
• Unsubscribe Link Clicks: A notable consequence is that Safe Links can click unsubscribe links, potentially leading to unintended unsubscribes or false positives in subscriber churn data.
• IP Addresses: Automated opens and clicks typically originate from Microsoft's own IP ranges, which can often be identified through email tracking logs, distinguishing them from recipient engagement.

Key considerations

• Metric Adjustment: Email marketers should adjust their expectations for open and click metrics, particularly for audiences heavy on Office 365 domains. Focus on more reliable engagement indicators, such as conversions or replies.
• Segment Analysis: Segment your audience by domain to gain clearer insights into engagement patterns. This helps in understanding how Office 365's filtering affects your deliverability.
• Link Tracking: Be aware that any link within your email, including internal navigation or social media links, can be clicked by these automated systems.
• Email Authentication: Ensure your email authentication protocols like SPF, DKIM, and DMARC are correctly configured. Strong authentication can improve trust with Office 365 and potentially influence how aggressively emails are scanned. You can learn more about a simple guide to DMARC, SPF, and DKIM.

Key opinions

• Skewed Metrics: Many marketers report inflated open and click rates, making campaign performance analysis difficult. This leads to a need for alternative methods to measure engagement beyond traditional tracking pixels.
• Unsubscribe Risk: A key worry is the automated clicking of unsubscribe links by security scanners, potentially leading to genuine subscribers being removed from lists without their intent.
• Security vs. Data Accuracy: Marketers recognize the security benefits of Microsoft's features but lament the trade-off in reliable data. They often wish for better ways to distinguish human interaction from bot activity. Our guide on identifying automated scripts might be helpful.
• Identifying Source: The consensus is that these automated interactions are primarily from Microsoft Defender for Office 365, indicating it's a systemic behavior across Office 365 environments.

Key considerations

• Focus on Conversion: Shift focus from vanity metrics like opens to hard conversions, purchases, or other bottom-of-funnel actions that directly impact business goals. Consider the impact on click-through rates.
• Audience Segmentation: Segment lists by recipient domain to better understand where automated activity is most prevalent. This allows for more targeted analysis and potentially different measurement strategies for Office 365 domains.
• URL Rewriting: Understand that Office 365 Safe Links often rewrite URLs, which can sometimes interfere with specific tracking mechanisms or lead to unexpected redirects.
• Clear Communication: Communicate these observed phenomena to stakeholders, explaining why traditional email metrics may not be entirely accurate for Office 365 recipients. This also impacts why O365 may mark emails as spam from third-party ESPs.

Key opinions

• Security Intent: The core reason for these interactions is Microsoft's commitment to security, pre-scanning content in a safe environment to detect threats before they reach the inbox. This proactive defense is critical for mitigating phishing and malware attacks.
• Standard Behavior: Automated opens and clicks are considered standard operating procedure for many modern mailbox providers, especially those with advanced threat protection, like Microsoft. It's not unique to Office 365, though Microsoft's implementation is particularly noticeable.
• Data Interpretation: Experts stress that traditional open and click metrics are no longer entirely reliable indicators of human engagement for all recipients. Senders must evolve their data analysis to account for bot activity. This ties into understanding why deliverability rates might be wrong.
• Impact on Deliverability: While these clicks don't necessarily harm deliverability, a sudden spike in opens or clicks from unusual IPs could sometimes be a sign that emails are being routed through certain security layers before reaching the inbox.

Key considerations

• IP Filtering: Analyze tracking data to identify and filter out opens and clicks from known Microsoft IP ranges (or those of other security vendors) to get a clearer picture of human engagement.
• Alternative Metrics: Emphasize unique clicks (after initial bot activity), replies, forwards, and conversions as more reliable indicators of engagement for Office 365 recipients. This aligns with modern technical solutions for deliverability.
• Unsubscribe Management: Implement double opt-out confirmations for unsubscribe links if automated clicks cause significant issues, ensuring that only genuinely opted-out users are removed from lists.
• Email Header Analysis: Examine email headers for clues from Microsoft's Exchange Online Protection (EOP) or Defender for Office 365, as these can indicate whether an email has passed through their scanning systems. This can help diagnose DMARC issues in Microsoft 365.

Key findings

• Safe Links Functionality: Microsoft's Safe Links feature rewrites URLs in emails and then scans them at the time of click. However, it also performs initial pre-scan checks that can result in automated clicks as part of its threat detection process.
• Safe Attachments Behavior: The Safe Attachments feature uses a virtual environment (detonation chamber) to open and test attachments, which can also trigger embedded tracking pixels or external calls if the attachment content involves such elements.
• Policy Configuration: Administrators can configure Safe Links policies within the Microsoft 365 Defender portal, allowing for exclusions of specific URLs or domains from being rewritten or scanned. This offers some control over automated interactions, although not at the level of specific link types (e.g., unsubscribe).
• Protection Priority: The documentation consistently emphasizes that these features prioritize user protection from advanced threats, accepting that some automated interactions are a necessary byproduct of comprehensive security scanning.

Key considerations

• Admin Control: While automated opens and clicks are largely unavoidable, Office 365 administrators have some control through Safe Links policies to exclude trusted domains from certain scanning behaviors. This configuration is critical for managing whitelisting domains in Office 365.
• Email Header Information: Microsoft Exchange Online Protection (EOP) and Defender for Office 365 add specific headers to emails that indicate the scanning and verdict status. Analyzing these headers can provide insights into how an email was processed.
• Evolving Threats: Microsoft continually updates its threat protection mechanisms, meaning the exact behavior of Safe Links and Safe Attachments may evolve over time in response to new attack vectors. Staying informed about these updates is key. Learn more about Office 365 Advanced Threat Protection.
• User Awareness: The documentation often highlights the importance of user awareness and training alongside technical controls to enhance overall security posture. This reduces reliance solely on automated scanning to catch all threats.