Summary
Office365's automatic opening and clicking of emails is a multifaceted issue predominantly driven by security measures and scanning processes. Microsoft's Advanced Threat Protection (ATP) with Safe Links, along with URL rewriting and detonation by various security solutions (Proofpoint, Cisco Talos, SANS Institute), contribute to artificial clicks as URLs are analyzed for malicious content. Additionally, corporate email systems scan for viruses/malware, and email clients may pre-fetch images or validate links, further inflating engagement metrics. While designed to protect users, these automated interactions can skew marketing data, impacting analytics costs and potentially sender reputation. Experts suggest data filtering (by User Agent or IP address) and avoiding unwise use of unsubscribe links as mitigation strategies, but acknowledge that a complete solution remains elusive.
Key findings
- ATP & Safe Links: Microsoft ATP with Safe Links scans URLs at time of click, generating false positives.
- URL Rewriting: Security solutions rewrite URLs to scan for malicious content before redirection.
- Sandbox Detonation: Email security systems detonate URLs in sandboxes to analyze behavior.
- Malware Scanning: Corporate email systems scan for viruses/malware, opening links.
- Image Caching & Link Validation: Email clients pre-fetch images and validate links, triggering opens/clicks.
- Data Skewing: Automated processes skew email marketing metrics.
- Reputation Impact: Automated clicks can negatively impact sender reputation if not properly managed.
- B2B Prevalence: This issue is common in the Enterprise/B2B space.
Key considerations
- Data Filtering: Clean and filter data based on User Agent or IP address to remove automated clicks.
- Analytics Monitoring: Monitor analytics for unusual activity, as these clicks can impact marketing analysis.
- Unsubscribe Management: Avoid 1-click unsubscribe links to prevent accidental unsubs due to automated clicks.
- Security vs. Metrics: Recognize the trade-off between security and accurate email engagement data.
- Mitigation Challenges: Solving the root cause is difficult; adaptive strategies are needed to manage effects.
What email marketers say
12 marketer opinions
Office365 automatically opens and clicks emails primarily due to security measures implemented by Microsoft and other email security vendors. These measures include Safe Links in Office 365 ATP, URL rewriting by security solutions, automated detonation in sandbox environments, and virus/malware scanning. Additionally, image caching by email clients and link validation checks can also contribute to inflated open and click rates. These automated interactions are designed to protect users, but they can skew email marketing metrics and potentially impact sender reputation if not properly managed.
Key opinions
- Security Scanning: Office 365 ATP and other security solutions proactively scan URLs, leading to automated clicks.
- URL Rewriting: Security vendors rewrite URLs to analyze them before redirecting users, causing clicks.
- Automated Detonation: Email security systems detonate URLs in sandbox environments, generating clicks and opens.
- Malware Scanning: Corporate email systems scan for viruses and malware, opening links and registering clicks.
- Image Caching: Email clients cache images, triggering opens even without user interaction.
- Link Validation: Security tools validate links, automatically clicking them to ensure validity.
- Bot Mitigation: Bot mitigation solutions click links to profile senders and assess risk.
- Anti-virus Scanning: Anti-virus software may scan links, causing automatic clicks.
Key considerations
- Data Filtering: Clean and filter data to remove automated clicks and opens to improve metric accuracy.
- Sender Reputation: Monitor and manage sender reputation, as automated clicks can negatively impact it.
- Metric Skewing: Recognize that automated clicks can skew email marketing metrics, requiring adjustments in analysis.
- Deliverability Impact: Implement strategies to mitigate the impact of automated clicks on deliverability.
- Unsubscribe Links: Avoid using 1-click unsubscribe links in the body of the email to prevent accidental unsubscribes.
Marketer view
Email marketer from Reddit shares that some email clients cache images by pre-fetching them from the server. This process of pre-fetching can register as an 'open' even if the recipient hasn't actually viewed the email.
9 Jan 2023 - Reddit
Marketer view
Email marketer from Litmus explains that some email clients or security tools perform link validation checks. These tools might automatically click on links in an email to ensure they are valid and safe, thus inflating click rates.
14 Mar 2023 - Litmus
What the experts say
6 expert opinions
Experts confirm that Office365 automatically opening and clicking emails is a known issue. This behavior seems to be influenced by Microsoft's internal processes, potentially involving AI training or cyclical testing of senders, even those with good reputations. While the specific triggers remain unclear, it primarily impacts metrics and can lead to inflated analytics costs. Addressing this issue is difficult, but filtering data based on User Agent or IP address may provide some relief. Avoiding unwise use of unsubscribe links is also advised.
Key opinions
- Confirmed Issue: Office365 auto opens and clicks are a confirmed issue affecting many senders.
- Microsoft's Internal Processes: Microsoft seems to be cycling through senders, potentially for AI training or testing.
- Unclear Triggers: The exact triggers for this behavior are not fully understood.
- Metrics Impact: This behavior primarily impacts email marketing metrics, leading to inaccurate data.
- Analytics Costs: Inflated analytics costs can result from the increased volume of automated opens and clicks.
Key considerations
- Data Filtering: Filter data based on User Agent or IP address to mitigate the impact on metrics.
- Unsubscribe Links: Avoid implementing 1-click unsubscribe links to prevent accidental unsubscribes due to automated clicks.
- Limited Solutions: Solving the root cause of this issue is difficult, requiring adaptive strategies to manage its effects.
Expert view
Expert from Email Geeks shares they’ve also seen other people Suddenly Surprised by O365 doing this and it feels like there’s something about their mail or behaviour that triggers the sudden interest.
17 Apr 2025 - Email Geeks
Expert view
Expert from Email Geeks confirms the issue of Office365 auto opens and clicks.
27 Aug 2023 - Email Geeks
What the documentation says
3 technical articles
Office365 automatically opens and clicks emails because of security mechanisms like URL detonation in sandbox environments and Safe Links verification. These systems rewrite and check URLs in emails to protect users from malicious content. While effective, these automated processes generate artificial clicks and opens, as no real user interaction occurs.
Key findings
- URL Detonation: Security systems detonate URLs in sandboxes to analyze their behavior, generating automated clicks.
- Safe Links Verification: Microsoft's Safe Links rewrites and checks URLs for malicious content, triggering clicks during verification.
- Automated Processes: These processes are automated and don't involve real user interaction, leading to artificial opens and clicks.
Key considerations
- Metric Distortion: Be aware that security mechanisms can distort email marketing metrics.
- Security Trade-off: Recognize the trade-off between enhanced security and potential inaccuracies in email engagement data.
- Filtering Strategies: Explore filtering strategies to mitigate the impact of automated clicks on your metrics.
Technical article
Documentation from Microsoft clarifies that Safe Links in Microsoft Defender for Office 365 helps protect your organization by providing time-of-click verification of web addresses (URLs) in email messages and Office documents. Each URL is rewritten and checked against a list of known malicious links, potentially triggering a 'click' during the verification process.
15 Nov 2023 - Microsoft Learn
Technical article
Documentation from SANS Institute details that URL detonation is a common technique where security systems automatically visit URLs in emails in a controlled environment (sandbox) to check for malicious behavior, resulting in automated clicks.
15 Feb 2023 - SANS Institute
Can AMP code in emails cause increased spam placement in Outlook and Hotmail, even if they don't render AMP?
Do email security software solutions click hyperlinks in emails?
Do free email services click links in emails to check for spam?
How can I identify and handle bot clicks and opens, particularly from Microsoft/Outlook domains, in email marketing campaigns?
How can I identify and handle suspicious bot clicks in email marketing campaigns?
How can I identify and mitigate the impact of bot clicks on email marketing metrics?
