[matt123456789]

It’s possible that the emailed link contains extra query params which are logged. Checking for the existence of these query params in requests would enable them to verify that reset requests to date were clicked from email rather than using this method.

[anchpop]

Also, the referrer header may be different too? Although it's likely nobody thought to log it.

[komarov_om]

I would expect a "Referer" value to be empty in both cases:

  - directly navigating to a URL after doing a copy-paste
  - opening a link from an email