Links really clicked?
How did they determine the phishing link was clicked?
A lot of the (insanely resource hammering but that's a different issue) security suites that plug their tentacles into as many parts of the system as they can do things such as as "investigate" links in emails (which could mean the security software visiting that link without user awareness)
AC as employer enforces bloaty, performance destroying AV software on work PC and I know the (mandated) Outlook add in it uses does sometimes access URIs in emails (quite often have outgoing traffic monitoring running as work as coder on lots of client / server comms apps so plenty of debugging logs of all networking on some bug hunts, get to see a lot of bandwidth abusing behind the scenes apps - especially glares at Chrome).
Biting the hand that feeds IT
