Troubleshooting: Login link has expired


You land on the following page after interacting with a Hoxhunt training email:


You can see this landing page in a few different situations:

1. You try to fail a Hoxhunt training email

2. You try to use a Magic Link


You try to fail a Hoxhunt training email

What is supposed to happen?

Hoxhunt training emails can include different fail mechanisms in which you can "fall for" the phishing test. These methods include, but are not limited to:

1. Fail links located in the email (either as a URL or hidden in a CTA or button)

2. Fake attachments (a link hidden in the image of an attachment)

3. Real attachments (a link hidden in the attachment)

When you interact with these elements, you fail the phishing test. During technical testing you will be asked to do so intentionally, so we can test that nothing is blocking the fail links. Hoxhunt uses 200+ domains and urls for training purposes, to offer variety and a challenge for the employees during the phishing training. These domains and urls simulate the types of domains and urls used in real phishing attacks, so they will often be blocked by different automated tools built to detect suspicious urls. 

When everything is working as it should, the employee will get the "Oops!" landing page as shown below:


"Login link has expired" message

Each link can be interacted with or clicked on only once - after this the link will expire. If you attempt to fail the email a second time, you will be shown the Login link has expired page.

In some cases, you did in fact not interact with or click on the link before. In these cases, the most likely cause is that you organization has a technical solution in place (such as a proxy, web filter, link scanner) that automatically inspects the links in emails. This technical inspection will then be considered an interaction with the fail mechanism. This will cause the user to fail the email, even though they did not in fact interact with the email. We call these auto-fails.

To solve these auto-fail situations, your IT department admin should determine:

  • what technical solution inspected the link within the email, and
  • what type of allowlisting the technical solution allows. Most commonly, they allow either IP or domain allowlisting. Please reach out to your Onboarding Manager or Hoxhunt Support at if you need the list of domains to allowlist.  

Your admins can read more here: Allow/whitelisting proxies, VPNs, firewalls and link scanners overview


You try to use a Magic Link twice

If your company does not have SSO set up, you can log into Hoxhunt using a Magic Link. Each Magic Link can only be used once, so if you attempt to click it again you will land on the page that says the Login link has expired. You can request a new Magic Link here: 


Questions or further issues?

If you need any additional help, please don't hesitate to reach out to Hoxhunt Support at

Was this article helpful?

7 out of 8 found this helpful

Have more questions? Submit a request