Why is Office365 automatically opening and clicking emails?

Key findings

• Pre-scanning: Office 365's security layers, such as Microsoft Defender for Office 365 (formerly Advanced Threat Protection or ATP), routinely pre-scan emails for malware, phishing attempts, and other threats. This involves opening emails and clicking links in a sandboxed environment before they reach the recipient's inbox.
• Safe links: The Safe Links feature rewrites URLs in emails and then scans them at the time of click. Automated clicks occur during this scanning process to ensure the link's safety.
• Metric distortion: These automated interactions inflate open and click rates, making it difficult for senders to accurately assess genuine user engagement. This can also trigger unwanted actions like one-click unsubscribes if not managed carefully.
• Common occurrence: The behavior is particularly prevalent in enterprise and B2B environments, where organizations widely adopt Microsoft's comprehensive security suites.

Key considerations

• Data analytics adjustment: It is crucial to adjust your email marketing analytics to account for these bot-driven interactions. Identifying and excluding them can provide a more accurate picture of recipient engagement. Learn how to identify and handle bot clicks.
• Preventing unwanted unsubscribes: Implement safeguards to prevent security scanners from triggering one-click unsubscribe links embedded in the email body. Consider placing the unsubscribe link in the header. For more on this, read how to prevent Microsoft Defender from causing issues.
• Impact on server load: While generally not a major issue for robust systems, a significant volume of automated clicks and opens could potentially increase load on image and redirect servers, especially for smaller or less optimized infrastructures. Refer to Spiceworks for related discussions.
• Deliverability status: Despite these automated actions, emails are typically still delivered to the intended recipients, often without the recipient's immediate awareness of the pre-scanning activity.

Key opinions

• Widespread issue: Automatic opens and clicks from Office 365 are very common, especially in enterprise and B2B contexts, and their prevalence is increasing.
• Unexpected spikes: Marketers often report sudden and unnatural spikes in opens and clicks, suggesting specific triggers in their email content or sending behavior that might activate these security mechanisms.
• AI training: Some believe Microsoft may be using these interactions to train its artificial intelligence for better threat detection, which could explain the varying behavior across different senders.
• Deliverability generally unaffected: Most marketers assume that despite the automated activity, emails are still largely delivered to the intended inboxes as before. The primary impact is on analytics.

Key considerations

• Metric integrity: The main challenge for marketers is distinguishing genuine engagement from security scans, which requires careful data cleaning and filtering. This is part of the broader issue of why you are seeing bot clicks.
• Unsubscribe link placement: To prevent accidental unsubscribes from security scanners, marketers are advised to avoid placing one-click unsubscribe links directly in the email body. This aligns with general advice on avoiding automated script issues.
• Resource utilization: While usually manageable, the increased traffic from security scanners can occasionally lead to higher analytics costs or unexpected server load for less robust setups. Read about automated file interactions for a related context.
• Adapting to the landscape: Marketers must accept these automated behaviors as a standard part of the email landscape and adapt their tracking and reporting strategies accordingly.

Key opinions

• Security imperative: Microsoft's automated interactions are primarily for security, acting as a sandbox to analyze potential threats without exposing recipients.
• Sophistication: These systems are highly sophisticated, adapting to new threats and sometimes exhibiting behavior that might appear random but is part of a complex filtering process.
• Impact on metrics vs. delivery: While opens and clicks are affected, the underlying deliverability of the email message to the inbox usually remains intact unless genuine malicious content is detected.
• Evolving threat landscape: This behavior is a direct response to an evolving threat landscape, where advanced phishing and malware delivery techniques necessitate proactive scanning.

Key considerations

• Accurate reporting: Slightly skewed engagement data means relying on additional metrics beyond raw opens and clicks for true performance assessment. This includes considering your email deliverability rate.
• Authentication standards: Strong email authentication (SPF, DKIM, DMARC) is vital to ensure that legitimate emails are distinguished from spoofed ones, reducing the likelihood of excessive security scrutiny. See our guide to DMARC, SPF, and DKIM.
• Sender reputation: Maintaining a positive sender reputation can influence how aggressively Microsoft's systems interact with your emails, potentially leading to fewer problematic scans over time. More on this at SpamResource.
• Continuous monitoring: Regularly monitor deliverability and engagement trends specific to Office 365 recipients to identify any shifts in behavior or potential issues.

Key findings

• Threat protection layers: Office 365 employs multiple layers of threat protection that scrutinize incoming emails for malicious indicators, including dynamic analysis that involves simulated user actions.
• Sandbox environments: Emails, especially those with suspicious content or links, are often routed through detonation chambers (sandboxes) where they are 'opened' and 'clicked' to observe their behavior safely.
• URL rewriting: Safe Links functionality rewrites original URLs to direct them through Microsoft's security infrastructure, enabling real-time scanning upon user click, or sometimes, pre-scanning by the system.
• Dynamic delivery: Depending on the detected threat level, emails may be delivered with a delay (dynamic delivery) to allow for thorough scanning, which can involve initial automated interactions.

Key considerations

• Configuration impact: Specific Office 365 tenant configurations, particularly those related to advanced threat protection policies, can influence the extent and nature of automated email interactions. IT administrators can manage these settings.
• False positives: While designed for security, these systems can sometimes exhibit overly cautious behavior or trigger on legitimate content, leading to false positives in engagement metrics. More information is available on Super User for related technical challenges.
• Compliance and reporting: Organizations using Office 365 should be aware of these automated security processes for internal reporting and compliance, especially when analyzing user engagement with sensitive information.
• Sender best practices: Adhering to general email deliverability best practices, including proper authentication (like SPF, DKIM, DMARC), maintaining a clean sender reputation, and avoiding suspicious email content, can help optimize interaction with security filters. This can also help when Microsoft is scanning links at a high rate.