We use a Phishing simulation for end user training. It sends emails to our users with URLs that if clicked bring them to the training site and record the click for reporting.

We use a hosted spam filter which then sends email to the security gateways for threat emulation and extraction.

We set exceptions for the sender address each month in the threat emulation and extraction policy for the simulation, but the reports still show clicks when we are certain the user did not click and in some cases blocks the email completely. Our conclusion is that even though we have exceptions set, the check at the gateway is still following the URL to check the reputation of the site. We opened a support case with Checkpoint and they told us the only option is to create a global exception in the threat prevention policy with the source being our hosted spam filter. This obviously is not a solution as that would allow all email to bypass emulation and extraction and not just the sim email.

So, we are wondering if anyone else is running into a similar situation or if they have found a suitable work around?