Why is Office365 automatically opening and clicking emails?

Email marketer from Reddit shares that some email clients cache images by pre-fetching them from the server. This process of pre-fetching can register as an 'open' even if the recipient hasn't actually viewed the email.

Email marketer from Litmus explains that some email clients or security tools perform link validation checks. These tools might automatically click on links in an email to ensure they are valid and safe, thus inflating click rates.

Marketer from Email Geeks shares that Office365 hosted domains opening and clicking on emails automatically is very common in the Enterprise / B2B space, and becoming more common in the B2B space.

Email marketer from Super User forum shares that Anti-virus software could also be a reason as some AV programs scan links within emails.

Email marketer from Email on Acid shares that security systems may pre-fetch and scan links in emails to protect users. This pre-fetching action triggers a click before the user interacts with the email.

Marketer from Email Geeks explains that you can clean your data up and learn to filter it out if your ESP can't. Also avoid 1-click unsubscribe in the *body.*

Email marketer from Microsoft Support explains that Office 365 Advanced Threat Protection (ATP) includes Safe Links, which proactively scans URLs in emails at the time of click. This can result in URLs being visited by Microsoft's systems, leading to false-positive clicks.

Email marketer from Proofpoint shares that security solutions rewrite URLs to point to their scanning infrastructure. When users click these rewritten links, the security vendor analyzes the destination page for malicious content before redirecting the user, creating a 'click' even if the user doesn't fully load the page.

Email marketer from Gmass explains that If the recipient of your emails is using Gmail, the Gmass tracking pixel will always show the location of where the email was opened.

Email marketer from Marketing Land shares that automated clicks can negatively impact sender reputation if not correctly filtered, potentially leading to deliverability issues.

Email marketer from Email Vendor Guide shares that bot mitigation solutions, such as those implemented by email security vendors, may click on links to profile email senders and assess risk. These clicks, even if performed by bots, can skew email marketing metrics.

Email marketer from Stack Overflow explains that corporate email systems often scan incoming emails for viruses and malware. This scanning process may involve opening links within the email, which would register as a click and, in some cases, an open.

Expert from Email Geeks shares they’ve also seen other people Suddenly Surprised by O365 doing this and it feels like there’s something about their mail or behaviour that triggers the sudden interest.

Expert from Email Geeks confirms the issue of Office365 auto opens and clicks.

Expert from Word to the Wise shares that click and open issues are often a problem and can't easily be solved. You can try to filter out the data where the User Agent is the same, or the IPs are the same within a short period of time.

Expert from Email Geeks shares that Microsoft seems to be cycling through senders and even good senders are seeing this behavior from them. Not sure if it's behavior related or if it's just them training their AI or something.

Expert from Email Geeks shares one client that was paying for analytics on the website had their bill kinda went a little bonkers when Microsoft targeted them.

Expert from Email Geeks explains that unless you’re doing something unwise with unsub clicks, the worst effect will probably be messing up your metrics (and maybe load on your image servers, redirect servers, but they’d have to be pretty underspecced for that to be a big problem).

Documentation from Microsoft clarifies that Safe Links in Microsoft Defender for Office 365 helps protect your organization by providing time-of-click verification of web addresses (URLs) in email messages and Office documents. Each URL is rewritten and checked against a list of known malicious links, potentially triggering a 'click' during the verification process.

Documentation from SANS Institute details that URL detonation is a common technique where security systems automatically visit URLs in emails in a controlled environment (sandbox) to check for malicious behavior, resulting in automated clicks.

Documentation from Cisco Talos explains that many email security systems detonate URLs in a sandbox environment to analyze their behavior. These automated detonations result in recorded clicks and opens, even though a real user did not interact with the email.