Forum Discussion
Microsoft Attack Simulation Test generating false positive clicks when user forward email
I ran a Microsoft Security phishing simulation test for users. Some users detected it as phishing and forwarded emails to helpdesk to review. It looks like Microsoft does its due diligence when a email is forwarded and this generates an auto click or attachment opened condition and user is falsely assigned a training as having clicked or opened attachment in email. Any fix for this? Also is there a way to find out who clicked on email? These emails are generated internally and do not show details in email message trace as well.
1 Reply
- You could write a mail flow rule so that any forwarded copy of a simulation goes into a shared mailbox or the hosted quarantine rather than to its destination. The initial delivery might be direct to the mailbox, but any forwarded message is an ordinary e-mail and can be handled as such. Personally I count forwarding as an attempt to report the simulated phish, even though it's not the ideal thing for the recipient to do.
