[keskival]

Ok, what if an email has "click this link if it was you who tried to log-in", or "if it wasn't you"?

Will Microsoft automatically authenticate malicious actors, or block yourself from services built with assumptions that the email client won't auto-click everything?

[mixedbit]

Login links from my service were automatically clicked and rendered and I know that other services discovered similar problems. Based on this I think that it is very likely the case with all the links in emails, but I don't know if there is any additional heuristic involved that would treat some links differently.

See also this issue which suggests that all links are opened: https://techcommunity.microsoft.com/discussions/microsoftdef...

Note that this doesn't affect all Outlook users, this Microsoft Defender for Office 365 is a separate product that only some companies use.