Problem: You receive quarantine digests or attachments through proofpoint but they are still being detonated (ie: clicked/opened) by Office365.
Side-Effect: On some phishing simulation tools, it can cause the simulations to be "clicked" and hence, creates a "failed phishing sim" false-positive for the simulation tool. This can happen even if you pushed out ATP Link and Attachment bypass rules or identified the URLs in phishing simulation section of Advanced Delivery.
Issue: For some reason (unknown), microsoft ignores all forms of whitelisting and it seems to be random or unexplainable.
Solution: Consider this the last-ditch solution if all else fails (ie: ATP allow rules + Advanced Delivery phishing sim allow)
Go to Office365 -> admin -> Select Security
This will bring you to the Defender page.
Select Submission
Then, click on submission
Enter the URL to prevent the link detonation on:
Complete the submission, the link should be left alone for 30 days.
You may need to repeat this one or two times but at some point the trust will "stick".