Have you noticed an unusual spike in your marketing qualified leads recently? If you rely on email link clicks as a scoring input, there is a good chance your MQL numbers are lying to you.
After examining millions of lead activities across our client base, we traced the root cause to a growing problem: email threat scanners. Anti-malware software vendors have steadily tightened their inspection of email links, likely in response to ransomware attacks like WannaCry that swept through enterprises in mid-2017. Those changes in scanning behavior created a ripple effect that most marketing teams never anticipated.
The scanners click your email links automatically. Every link. Every time. And your marketing automation platform records those clicks as genuine engagement.
How Anti-Malware Scanners Inflate Your MQL Count
Here is the pattern we discovered. A lead receives an email and instantly clicks the contained link. Not within a few minutes. Within seconds. Once the pattern starts, it is consistent across every email sent: a click occurs almost immediately after receipt.
We call these "auto-click leads." Their behavior scores climb rapidly because your scoring programs reward email engagement. A lead that "clicked" 15 emails in a month will rack up enough points to cross your MQL threshold, even though no human ever interacted with your content.
The impact cascades through your entire funnel:
- Conversion rates drop. Leads that cross the MQL threshold due to scanner clicks are not genuinely interested. When they reach sales, they do not convert. - Sales confidence erodes. Your sales team starts dismissing marketing leads because too many are unresponsive. The "marketing leads are garbage" complaint intensifies. - Reporting becomes unreliable. Email click rates, lead behavior scores, and MQL counts all overstate actual engagement. You lose your ability to make sound resource allocation decisions based on these metrics.
Are Your Leads Affected?
All marketing automation platforms are potentially affected. The issue is industry-wide because it originates on the recipient side, not yours. You are most exposed if you:
1. Send frequent emails with link-based calls to action 2. Score leads based on email clicks 3. Allow email click scores to accumulate across multiple emails
If none of those apply, you may not need to worry. But if you send weekly nurture emails and award generous scores for link clicks, keep reading.
Finding Your Auto-Click Leads
Identifying the auto-click leads is not straightforward within most MAPs. The relationship between a send event, a click event, and the resulting score change needs to be correlated at the timestamp level.
A simple first pass is to filter your lead database for leads that have:
- High behavior scores (50+ points) - Clicked multiple email links (5 or more) - Click timestamps that fall within seconds of the corresponding email send time
For a more precise analysis, we downloaded all activities from our client's Marketo instance into a PostgreSQL database. This allowed us to write SQL queries that correctly related every behavior score change to its original email click activity. The query examined 51 million activities and identified every lead with auto-click behavior and the associated inflated score points.
The results were eye-opening. Some leads had accumulated 80 or more points purely from scanner activity. Their entire MQL status was built on phantom engagement.
Fixing Your Lead Scores
Once you identify auto-click leads, the conceptual fix is simple: decrement each lead's behavior score by the number of auto-click points. The practical execution depends on your MAP's capabilities.
In Marketo, you can create separate static lists for groups of affected leads and run campaigns to decrement their scores accordingly. Other platforms will have their own mechanisms for bulk score adjustments.
Short-term remediation:- Disable any global lead scoring programs based on email clicks - Instead, score the outcome of those clicks by measuring landing page visits. Email scanning software does not execute JavaScript tracking code, so their visits are not recorded on your web analytics - Audit your current MQL population and re-evaluate any leads whose scores are primarily driven by email clicks
Long-term solutions:- Independently score each email click only after a delivery time delay of 10 to 20 minutes. A click within seconds of send is almost certainly a scanner. - Add invisible links within emails to detect auto-click behavior. If a lead clicks a hidden link that no human would see, flag them and decrement scores accordingly. - Shift your scoring weight toward actions that scanners cannot replicate: form fills, content downloads, product page visits, demo requests, and webinar registrations.
Rethinking Email Engagement Metrics
This scanner problem is not going away. As email security continues to tighten, the percentage of phantom clicks will only increase. Forward-thinking revenue operations teams are re-evaluating their entire approach to email-based scoring.
The broader lesson is that any engagement metric that can be triggered by automated software should be treated with caution. Opens have been unreliable for years due to image blocking and privacy features. Now clicks are joining the unreliable column for certain segments of your database.
A more durable approach to lead scoring focuses on intent signals that require genuine human interaction: visiting pricing pages, requesting demos, attending webinars, downloading technical content, or engaging with your sales team directly. These signals are harder to fake and provide a much stronger indication of actual purchase intent.
The Bigger Picture for Marketing Analytics
The anti-malware scanner issue is a case study in why data hygiene matters for marketing analytics. When the foundational data is polluted, every downstream metric suffers. Your email performance benchmarks, your lead scoring models, your MQL-to-SQL conversion rates, and your marketing attribution all become unreliable.
Teams that invest in understanding their data at the activity level, rather than accepting dashboard summaries at face value, catch these problems earlier and maintain credibility with their sales counterparts. That credibility is worth more than any single campaign metric.
If you suspect your lead scores are inflated by scanner activity, start with the simple filter described above. Even a rough identification of auto-click leads will give you a clearer picture of your true pipeline health and help you rebuild trust between marketing and sales.
Frequently Asked Questions
Why are my MQL numbers suddenly spiking?
Anti-malware and email threat scanners are auto-clicking links in your emails within seconds of delivery. These phantom clicks inflate behavior scores and push unengaged leads past your MQL threshold.
How do I detect auto-click leads in my marketing automation platform?
Filter for leads with high behavior scores and multiple email clicks. Look for click timestamps that occur within seconds of the email send time. Leads clicking every link in every email instantly are almost certainly scanner activity.
What should I do to fix inflated lead scores from email scanners?
Short term, disable global lead scoring based on email clicks and instead score the landing page visit. Long term, add invisible links to detect scanners, or implement time-delay scoring that only credits clicks occurring 10 to 20 minutes after delivery.
Which marketing automation platforms are affected by email scanner clicks?
All major platforms including Marketo, HubSpot, Pardot, and Eloqua are potentially affected because the issue originates with email security software on the recipient side, not the MAP itself.
See how ORM turns these insights into action
ORM builds custom revenue forecast models for B2B SaaS companies. Not dashboards. Prescriptive analytics that tell you what to do next.
Schedule a Demo