Classify click false positives
Use this runbook when a customer reports unexpected click/failure spikes or asks whether failures were caused by security scanners.
Before you begin
Section titled “Before you begin”You need:
- Customer organization name.
- Campaign name or campaign URL.
- Approximate time window of the spike.
- Customer claim, such as “users did not click” or “Microsoft Safe Links clicked these.”
- Open ActiveAdmin.
- Find the correct customer organization.
- Open the relevant campaign or campaign-related records.
- Review affected recipients and event timestamps.
- Look for scanner patterns:
- Many clicks within seconds of delivery.
- Clicks clustered before normal business interaction.
- Multiple recipients with the same or similar timestamp pattern.
- Clicks without downstream training activity.
- Clicks from proxy/security infrastructure when visible in ActiveAdmin.
- Look for human patterns:
- Click happens meaningfully after delivery.
- User proceeds beyond the link to the landing page or training flow.
- Event timing is distributed across users.
- The customer confirms the user interacted with the email.
- Classify each row as likely scanner, likely human, or inconclusive.
Expected result
Section titled “Expected result”You can explain whether the spike is mostly scanner-driven, mostly human, or not determinable from ActiveAdmin.
Customer-safe language
Section titled “Customer-safe language”Use:
We reviewed the campaign events available to support. Several clicks show scanner-like timing patterns, so we do not recommend treating those as confirmed human failures without further review.
Avoid:
These were definitely not real clicks.
Escalate when
Section titled “Escalate when”- The customer needs IP/ASN-level proof not visible in ActiveAdmin.
- The classification affects billing, contractual reporting, or executive reporting.
- You suspect cross-tenant data exposure.
- ActiveAdmin event data does not match the customer-facing report.