Dec 14 2022 02:33 PM
Several times a week (10 times today) I get alerts from email address removed for privacy reasons
saying that someone has clicked a potentially malicious URL.
Any time I have investigated it has never been true. Sometimes the user has deleted it. Sometimes they haven't seen it until I call them, so they have not clicked on anything. Sometimes the person is out of the office and hasn't opened email. Other times our third-party anti-virus has deleted them from the user's mailbox before they see them.
The alerts take 20 minutes or half hour to investigate and are never true so I just ignore them now.
Is there some better way to handle these or to only get alerts that are real?
Jan 03 2023 05:23 AM
Jan 30 2023 07:34 AM
Support said
"
when the Safe link polices are enabled, the click isn't actually a click on a link by a user. With the safe links polices enabled, the malicious URLs received in emails are re-written then scanned for the malicious content.
To elaborate it further, if you have an anti-virus installed on the computer that checks the URLs to see if they are malicious, then that anti-virus would "click" the url to test it, which would trigger as a click.
So it's fully possible that the users themselves didn't click the URLs, but something did."
They think that Trend Micro Apex One is checking the mailboxes for malware and triggering the alerts. We are opening a support ticket with Trend to see if others are encountering this.
May 08 2023 08:02 AM
Thanks for the suggestion but I don't think there are any settings to fix it.
What is happening is that emails with bad links get past ATP so go into users' mailboxes. Trend then checks the mailbox, realizes there is a bad link and removes the email from users' mailboxes. When ATP eventually realizes the link was bad, it thinks that Trend checking and deleting the email means that the user has clicked on the link. So, it sends an alert that the link was clicked when it wasn't.