If your client uses a third-party email service, that service may be inspecting links within the customer's emails.
Preventing false positives
- Follow Phin's Allowlisting Guide
- If Graph API Mail Delivery is currently enabled, we recommend disabling this feature.
- Enable Phin's Ignore Third Party Service IP Addresses feature - (third-party email services include Microsoft, Google, Yahoo, etc.)
How to identify a false positive vs user click
- An area to begin investigating is the time elapsed between the send and clicked times. Unusual time lapses between those two could indicate a third-party email service may be inspecting the link vs. a person clicking that quickly. This can be viewed in the Phishing Analytics section of the portal.
- Another place to look for possible false positives is to see if the IP address belongs to an organization that is not the end user.
How to identify false positive IPs
- To identify IPs for false positives go to Under Analytics>Phishing and click on the download icon in the lower right corner of the page.
- Open the downloaded table and find the column that displays which IP addresses.
What doesn't count as a click?
- Opening an email
- Forwarding an email
- Reporting an email as a phishing attempt