This is definitely not working correctly. In our most recent campaign, I saw 11 users clicked on a link in a campaign. 30 minutes into the campaign, the "Fastest Caught" user was not one of those 11 initial 11.
Ive raised a feature request regarding this situation - there isnt an easily found list of IP addresses & URLs that need whitelisting. O365 ATP & mimecast will open these links as soon as the emails are sent invalidating any results.
Please vote up the feature request here. https://ideas.sophos.com/forums/593590-phish-threat/suggestions/37211668-the-pre-requisites-for-office-365-atp-configuration