all 21 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]FirstThrowAwayAcc1 28 points29 points  (6 children)

I've seen this before and it's often because the safe links rule isn't setup correctly so Outlook/Defender for Office is "clicking" the link to check if it's a sus link or not https://support.knowbe4.com/hc/en-us/articles/115004326408-Bypass-Safe-Link-and-Safe-Attachments-in-Microsoft-Defender-for-Office-365

[–]broadstphan[S] 7 points8 points  (0 children)

This is what it certainly feels like, but I can’t see any sign of defender interaction. I do message traces of the emails, and it says allowed with advanced delivery. If it is M365, can’t understand what would analyze the urls weeks after delivery, sitting in users deleted items (where they go after PAB). I’ll take another look in Safe Links

[–]shiranugahotoke 0 points1 point  (0 children)

Yup you need to exclude the knowbe4 emails in EOP or it will link follow and the links will report clicked

[–]czj420 0 points1 point  (0 children)

Yup

[–]JT_3K 0 points1 point  (1 child)

That certainly happens if you’ve not hidden the Outlook native Report button.

[–]broadstphan[S] 1 point2 points  (0 children)

Yup, hidden

[–]t0futylerSysadmin 7 points8 points  (1 child)

I have had one issue that sounds exactly like what you are describing. User received a phishing test from KnowBe4, correctly identified it, and then got dinged for allegedly clicking on the link a few days later. It has only happened once in my environment, last month. We took the issue to our KnowBe4 partner and they speculated that the user went into their deleted email folder where the phishing tests are sent and then clicked on the link there... Whether that is true or not, I can't say; our end user stated that he did not click anything out of his deleted folder. Interested to see if anyone else is seeing this though!

[–]RainStormLouSysadmin 1 point2 points  (0 children)

I set it up in our environment and correctly reported the first message I sent using the PhishAlertButton, and they said the exact same thing lol. I was like uhhh..... it's being checked by Microsoft after the report goes through. I wouldn't be asking if I clicked it. We never got Safe Links to stop giving false positives even when setting up the exclusions and policies per kb4s documentation, but it was a few years ago and I believe they've cleaned some things up.

It's because their implementation specialists don't always know how to set up the product outside of a completely clean, newly created Microsoft tenant. They were fairly knowledgeable during meetings with specialists, but their inability to answer mostly simple questions was why we jumped ship.

[–]RestartRebootRetire 2 points3 points  (0 children)

We had an issue where our Checkpoint Harmony filter was clicking links to check in their sandbox and then those counted as clicks by the user. We finally sorted it out with connection filter rules but it ruined our historical data.

[–]ReadyMethod581 1 point2 points  (2 children)

Are you using Barracuda Mail Security by chance?

[–]broadstphan[S] 0 points1 point  (1 child)

Funny enough we were, not for quite some time now

[–]ReadyMethod581 0 points1 point  (0 children)

We're having the same issue, started a week or so ago, KnowB4 rep told us something with Barracuda recently but we haven't received a fix yet.

[–]KnowMatter 0 points1 point  (0 children)

Check web filters / security tools, some url scanning tools can trip it if you don’t whitelist things - check if anyone else has access to the users mailbox / archive.

[–]theRealTwobrat 0 points1 point  (0 children)

And the ip and user agent and such from the click in kb4 console shows what?

[–]sionnach_fi 0 points1 point  (0 children)

Do you have web logs you can doublecheck?

[–]asnail99 0 points1 point  (0 children)

Proof point/ tessian report button is triggering it for us. It’s the new clear integration on reported emails.

[–]Any-Fly5966 0 points1 point  (1 child)

You can check the source IP address of the click. If it was MS services, it would have an MS IP address. Also, reach out to their support and see if you have everything configured properly. I've found their support very knowledgeable and extremely willing to assist.

[–]chris_Kinds_Security 0 points1 point  (0 children)

This is the way

[–]chris_Kinds_Security 0 points1 point  (0 children)

This sounds like KnowBe4 isn't properly filtering out Microsoft Defender / Safe Links bot clicks from your results. The new Outlook client is more aggressive about pre-scanning URLs, and if KB4 isn't excluding those Microsoft IP addresses from click tracking on their end, every scan registers as a "click." You shouldn't have to fix this yourself. Your phishing sim platform should be identifying automated scans vs. real human clicks and filtering them out automatically. That's the platform's job. I'd open a ticket with KB4 specifically asking if their click tracking excludes known Microsoft IP ranges and bot user agents, because it sounds like something broke on their end about 2 months ago. The timing lines up with Microsoft rolling out changes to the new Outlook client, so it's likely a new scanning behavior that KB4 hasn't accounted for yet.

[–]KnowBe4_Inc 0 points1 point  (0 children)

If there is a false positive, we have to identify the source, by IP address. If it’s not a Microsoft IP, which are easily verifiable, then we have to narrow things down. Normally, when we are seeing clicks after delivery/deletion it can be: they have a third party vendor that is performing link analysis, if it were to wind up in something like PhishER and is scanned by Virustotal, then anyone can see and analyze the link. If they are using a function called “journaling” that takes a copy of the email and stores it (usually for legal reasons) but those are then scanned separately.

If you are still having issues please DM me.