Attack simulation 100% false clicks

I occasionally encounter an issue where my simulations mistakenly mark all users as compromised, with the first click occurring as early as 9 seconds, averaging 18 seconds. Despite considering defensive software, my investigations show inconsistency:

- Only 1 out of 3 different payloads sent to separate groups had this issue. 
- Repeating the test with a smaller group did not replicate the problem.
- Clicks are recorded before the email is even opened, regardless of the email client, including Outlook and those on MacOS.
- All workstations have Defender installed.

This leads me to conclude the issue occurs randomly, without correlation to the payload, platform, or user behavior.

But of course it's not like that.

Right?