This is definitely not working correctly. In our most recent campaign, I saw 11 users clicked on a link in a campaign. 30 minutes into the campaign, the "Fastest Caught" user was not one of those 11 initial 11.
I could see why the reporting would take longer to show up in central but the fastest caught user should still be the first, are you sure there is no way that the user couldn't have clicked prior to the 11?
I called the end user, who I know and trust. He didn't even open the email for 25-30 minutes. Also, in the last 4 campaigns, 3 of the 4 end users that were the fastest all said that they didn't open it until much later.
Hmmm I wonder if this would have something to do with how their email is setup, for example is the email downloaded then stored locally? (Obivously) But is there something in there settings that is causing Phish Threat to see it as open? Or maybe a specific phone app they are using? I would pick one of the 11 you saw open it against the one phish threat is claiming opened it first and compare their mail settings on their computer, phone and online to see if anything stands out.
This was an issue on our end. The end users that were fastest click had their email going through a 3rd party system to scan for malware, ransomware, etc.. So the 3rd party was instantaneously opening and scanning the email, which was causing a false positive.
Ive raised a feature request regarding this situation - there isnt an easily found list of IP addresses & URLs that need whitelisting. O365 ATP & mimecast will open these links as soon as the emails are sent invalidating any results.
Please vote up the feature request here. https://ideas.sophos.com/forums/593590-phish-threat/suggestions/37211668-the-pre-requisites-for-office-365-atp-configuration