Microsoft
MicrosoftI've been getting a heap of these alerts recently, and while they're useful in theory - in practice they tend to be a notification that a suspect URL is in a campaign that our protection systems have sandboxed en-masse, reviewed and most likely dumped before the message got into any real mailbox.
Is there any way you can expose the IP of the device that's marked as 'clicking'? If we could see the source of the click as well as the associated recipient, it would be much easier to ID if that's a real end user device.
If I see alerts that at 4.am 50+ people all followed a link, but from an IP in the same small block - I can quickly note it's the sandbox at work - the latter drawn from a swathe of alerts that landed last night. I'm pretty sure for a mostly office hours org, we don't have quite so many reading email and following links at that exact same time give or take a few milliseconds..
(even better would then be to let us plug in the IP ranges of our known sandboxes so we could exclude reporting on them, unless we wanted to see how much work the protection layers are doing for us)
