I've seen the same issue. The links in emails opened in outlook seem to be crawled immediately by the 'BingPreview' bot.

Especially users working with Microsoft Office 365 and therefore Outlook noticed very often that login is not possible. Upon closer analysis, it was found that the MS/Bing crawlers are particularly persistent and repeatedly call the reset links, regardless of server configuration or the like. For this reason, a text field was implemented in the backend via the Drupal State API, in which selected user agents (always one per line) can be entered. These are checked by 'Shy One Time', in case of a hit a redirect to the LogIn form with a 302 status code occurs, the reset link is not invalidated.

Another suggestion some senders are trying is to set up a “stealth” link, that human readers won’t see or click on but that parsing software might. Clicks on that link are a sign that the click was not done by the recipient.

This behaviour may affect one-click unsubscribe links. If clicking the link in an email automatically processes the unsubscribe, then Barracuda may unsubscribe users without their knowledge.

This behaviour may affect opt-in confirmation links.

I’ve implemented a form on the landings page that auto-submits (on DOMContentLoaded) and posts the token to the next page. Passwordless login is now working for my client despite their mail scanner.

In June 2021 I can confirm Microsoft seem to be running a product that completes client side activities, like automatically submitting a form. I guess they are running a headless browser to do the scanning.