Issue
All the phishing messages sent to the users are showing as being clicked and/or opened in Security Awareness


Cause

Microsoft 365's Advanced Threat Protection for links is clicking on the links inside the messages to check to see if the links are dangerous. The problem is that this makes Proofpoint think that the links are clicked and the messages are opened. So everybody is marked has having failed the test. 


You can tell this is happening by looking at the originating IPs the clicks are coming from. In the highlighted column on the right side of the screenshot, doing an IP whois on them shows they are all Microsoft IP addresses.



Fix

You need to create a mail flow rule to bypass ATP link checking.

  1. Create a new mail flow rule in your Exchange admin center
  2. Give the rule a name (i.e. Bypass ATP Link Checking)
  3. Click more options
  4. Apply this rule if 
    1. A the sender IP address is in any of these ranges or ...
    2. Put in the IPs belonging to Proofpoints Security Awareness Delivery servers.
      52.1.14.157

      54.173.83.138 

      54.229.2.165 

      52.17.45.98 

      52.16.190.81

      52.30.130.201 

      107.23.16.222 

      107.20.210.250

  5. Set the message header: X-MS-Exchange-Organization-SkipSafeLinksProcessing to the value: 1
    AND  set the spam confidence (SCL) to Bypass spam filtering
  6. Save your new rule