I have a subpage on my website which is called up by users via a button in an email. The hyperlink behind the button contains a one-time valid token as a GET parameter. This is used to check whether the user is authorized to access this page. If the token is accepted, a function that manipulates the database is executed immediately and without further user intervention.
My problem now is that email clients such as Outlook have a phishing filter that calls up every link in an email once in order to check the websites for phishing attempts. However, this call automatically uses the token, which makes it invalid and triggers the function that manipulates the database.
Now to my question. Do any of you know of a way around this problem and, for example, check whether a real person has called up the link or a phishing filter? I don't want the user to have to make any additional entries. That means I don't want a confirmation prompt or a captcha.
The frontend is written with HTML and TypeScript and the backend with C#.
I didn't try anything yet because i couldn't think of a solution which doesn't need a user intervention.
Many thanks in advance. If you need any further information, please feel free to ask.