Live Direct Marketing logo
Inbox Placement Test
Metrics9 min read

Microsoft Defender link-click pattern analysis

SafeLinks is just the wrapper. Defender for Office 365 is the engine, and it leaves a distinctive click signature you can recognise once you know what to look for.

Enterprise marketers know the pain: Outlook recipients generate absurd click rates with no corresponding conversion lift. We covered SafeLinks in an earlier post. This one goes deeper — into the Defender for Office 365 behaviours that cause distinct, identifiable click patterns you can use to segment out the noise.

SafeLinks vs Defender: the important distinction

SafeLinks is the URL rewriting feature included in Exchange Online Protection, which most Microsoft 365 tenants have. Defender for Office 365 is an additional layer (Plan 1 or Plan 2) that adds:

  • Safe Attachments — sandbox detonation of attachments, including HTML rendering of the email body.
  • Anti-phishing advanced — impersonation detection, mailbox intelligence, and URL click tracking.
  • Campaign Views — groups related messages and clicks them for correlation.
  • Automated Investigation and Response — crawls URLs when an alert fires, often hours after delivery.

Each of these fires clicks. Identifying which layer fired helps you estimate how to clean the metric.

Click signatures from each Defender component

Safe Attachments sandbox

Timing:        Usually within 60 seconds of delivery
User-Agent:    Mozilla/5.0 (Windows NT 10.0; Win64; x64)
               AppleWebKit/537.36 (KHTML, like Gecko)
               Chrome/<varies>/Safari/537.36
IP ranges:     40.92.0.0/16, 52.96.0.0/12,
               2a01:111::/32 (Microsoft)
Referer:       often empty or Outlook
Pattern:       Clicks EVERY link in the email within 10 seconds

The telltale is "every link in the email" combined with a Chrome UA string from a Microsoft IP. Safe Attachments uses a headless Chrome-based sandbox. Real Chrome from a corporate network would not originate from Microsoft-owned IPs.

SafeLinks time-of-click check

Timing:        Paired with a human click, milliseconds apart
User-Agent:    Microsoft Office / ms-office / msoffice
IP ranges:     Microsoft ranges, often Exchange Online
Referer:       safelinks.protection.outlook.com
Pattern:       Double-click: scanner then human, same link

When a human in an M365 tenant clicks, SafeLinks re-verifies the URL reputation in real time. The scanner click fires first, then the human. You get two events for one action. ESPs rarely deduplicate these.

Campaign View correlation

Timing:        Bursty, often 1 to 24 hours post-delivery
User-Agent:    Empty or generic
IP ranges:     Microsoft ranges
Referer:       Empty
Pattern:       One link clicked across many recipients nearly
               simultaneously; related to an alert or investigation

If you notice a single URL suddenly getting 30 clicks from different recipients within 60 seconds, days after the send, that is a Campaign View correlation pass. Defender is investigating something in your domain reputation.

Automated Investigation and Response

Timing:        Hours to days after delivery
User-Agent:    Varies; often security scanner UAs
IP ranges:     Microsoft ranges plus third-party threat intel
Referer:       Empty
Pattern:       Crawls all links in a subset of messages when a
               threat alert is raised in the tenant

This one is nasty because it can fire days later on messages that had already been read and converted. You will see clicks that look like genuine re-engagement — they are not.

A decision table for classifying Outlook clicks

IF referer matches safelinks.protection.outlook.com
   AND time_since_delivery < 5s
   -> scanner_safelinks_delivery
ELSE IF referer matches safelinks.protection.outlook.com
   AND time_since_delivery >= 5s
   AND another_click_within_500ms exists on same link
   -> paired: scanner_timeofclick + human
ELSE IF ip IN microsoft_ranges
   AND clicks_by_this_recipient_on_this_msg >= 5
   AND time_since_delivery < 60s
   -> scanner_safe_attachments
ELSE IF ip IN microsoft_ranges
   AND many_recipients_hit_same_url_within_60s
   -> scanner_campaign_view
ELSE IF ip IN microsoft_ranges
   AND time_since_delivery > 1 hour
   AND referer empty
   -> scanner_air_or_mbi
ELSE
   -> human

In a warehouse you can codify this as a SQL case expression plus a window function that checks other clicks from the same recipient on the same message.

Why you need all four categories

For CTR reporting you can collapse them into a singleis_defender_bot flag. But for deliverability diagnostics each pattern means something different:

  • A Safe Attachments spike usually means your message triggered the sandbox threshold. Your HTML is suspicious (heavy images, many external resources, unusual encoding). Clean HTML reduces this.
  • A SafeLinks time-of-click doubling is normal for all M365 recipients. It just tells you what fraction of your list uses M365.
  • A Campaign View burst means Defender grouped your messages. That can be a neutral grouping or it can be a flagged campaign. Watch for follow-up blocks.
  • An AIR crawl days later is the worst signal: Defender flagged something. Next send to M365 may be quarantined. Time to seed-test and check reputation.
When you see Campaign View or AIR patterns

Pause and run a placement test immediately. If Defender is investigating, your next blast risks quarantine. Inbox Check seeds Outlook and M365 inboxes and shows you the current placement before you lose a whole segment.

Instrumenting your tracker

A few small additions to your tracking endpoint make this analysis much easier:

  1. Log Accept, Accept-Language, andSec-Fetch-* headers. Scanners set them inconsistently.
  2. Log X-Forwarded-For. The ultimate originating IP often sits several proxies deep.
  3. Set a first-party cookie on first click. Return visits without the cookie are almost always bots.
  4. Add a tiny /verify pixel on your landing page. A real browser will fire it; a link-scanning bot usually will not because it does not render the landing HTML.

Engineering note: dedupe at ingest, not at report

Many teams try to clean up clicks in the BI layer. We recommend tagging at ingest so your event store is canonical. Aclick_type column populated at the edge lets every downstream consumer (real-time trigger, send-time optimiser, finance dashboard) make consistent decisions.

FAQ

Can I ask Microsoft to exclude my domain from SafeLinks scanning?

No public mechanism exists. You can request listing on certain Microsoft whitelists for newsletter senders via the Junk Mail Reporting Program and Smart Network Data Services, but these do not disable SafeLinks.

Does SafeLinks scan links inside replied/forwarded messages?

Yes, and forwarded messages can trigger fresh scans hours or days later when a recipient in a different tenant opens them. Expect delayed clicks on old campaigns when they get forwarded.

What is the difference between SafeLinks in EOP and in Defender?

EOP offers basic rewriting. Defender adds time-of-click reputation checks, Safe Attachments rendering, and reporting. The click volume from Defender tenants is notably higher.

Will Microsoft publish a 'this was a bot' header I can trust?

Not today. The closest thing is the X-MS-Exchange-Transport-CrossTenantHeadersStamped set of headers, which are sender-visible only on bounces. No production-quality bot-signaling header exists.
Related reading

Check your deliverability across 20+ providers

Gmail, Outlook, Yahoo, Mail.ru, Yandex, GMX, ProtonMail and more. Real inbox screenshots, SPF/DKIM/DMARC, spam engine verdicts. Free, no signup.

Run Free Test →

Unlimited tests · 20+ seed mailboxes · Live results · No account required