In our last 3 attack simulations (MDO) we've sent out to employees, we've had increasingly more and more employees who are saying they didn't open the attachment and/or didn't click on the link. (They received the training email and asked "why" they received it.......)

Is there a way to prove/disprove they did or did not? 

I've checked the settings on our simulations and they have been configured correctly. I don't want to point "blame" on any of our "compromised" users as now I'm uncertain as to whether or not they were truly compromised. Is there something I'm missing here? Thanks everyone