As you have noted, this is a common situation. Anytime the actual URL does not closely match the displayed URL you'll get an alert unless it has been added to an M or X signature in the database. I haven't been convinced that anybody is maintaining that list of exceptions, so disabling it is probably your best defense at this point. Perhaps you could generate your own M/X records if phishing is a big problem, but educating users to not blindly click on ever link would be a better course of action.

Sent from my iPad

-Al-

On Apr 20, 2021, at 05:30, Robert Kudyba <rkudyba@fordham.edu> wrote:

An important email from our university president was quarantined with Heuristics.Phishing.Email.SSL-Spoof. I submitted the email as an attachment to ClamAV. I'm also disabling it based on past reports such as https://qmailtoaster-list.qmailtoaster.narkive.com/NYaYAjLl/disabling-clamav-heuristic-phishing-checks, https://portal.smartertools.com/community/a1225/how-to-disable-a-specific-clamav-scan.aspx and https://sanesecurity.com/support/false-positives/