Clicking a link is all it takes to download malicious code and send stuff to an attacker.
Clicking a link is enough to consider a target to have failed.
It shouldn't be though. If your threat vector includes teams with something like Chrome 0day, you've got bigger problems than employees clicking links.
Malicious email in the wild is either a link to a phishing page, or a link to a page offering an executable.
If I paste a URL urlscan.io and have a look at it, I can assess better whether it might be safe. Being told "url got hit, you compromised us" is really silly in my view.
Of course "click to fail" is silly. And, in some experimentations I did in the past, it's usually easy, in a large organization, to forge a 100% legit url (like somefileserver.organization.com/some_url_that_can_be_easily_edited_by_anonymous_users) and a 100% legit sender (because of some open relay that passes DKIM and/or SPF). So you just need an access to a minimal-security internal network (easily obtainable through spearphishing or malicious employees) to perform a good phish.
The obvious attack vector is to insert some JS in the webpage that performs a redirection to an external server holding malicious data. But the user would fail IFF they entered the data there, not just by clicking.
If I paste a URL urlscan.io and have a look at it, I can assess better whether it might be safe. Being told "url got hit, you compromised us" is really silly in my view.