You can create allow-list rules for this sort of phishing heuristic alert using WDB signatures:
https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format
There are two types of WDB signatures, "X" and "M". Here are a couple extra examples, since the documentation is a bit iffy:

X:.+\.usbank-email\.com([/?].*)?:.+\.usbank\.com([/?].*)?
X:.+\.ebay\.(ca|com)([/?].*)?:ebay\.caorebay\.com([/?].*)?
M:www.postfinance.info:www.postfinance.ch
M:www.deliverymail.com:media.monster.com

If you want to see more, create an empty directory and open terminal in the directory.  Then run:
 sigtool --unpack /var/lib/clamav/daily.cld​ 
(or whatever path to your daily CVD/CLD file).

It will drop a bunch of signature files in your current directory.  Open daily.wdb​ and you'll see a much larger list.  Some are more complicated because they use various country codes in the domains, others are less so.

If you craft a signature and would like Talos to distribute in the official databases, you can upload it to https://www.clamav.net/reports/signature
The web-form does get a surprising amount of spam though, so it may get looked at faster if you are interested in joining our community-sigs mailing list and send it there. See: https://lists.clamav.net/mailman/listinfo/community-sigs

For anyone interested in submitting signatures, we manually review signature submissions. Sometimes signatures cannot be accepted or need to be revised because they are FP-prone. We will let you know when changes to the signatures are required.

Best regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Maarten Broekman via clamav-users <clamav-users@lists.clamav.net>
Sent: Thursday, March 17, 2022 10:26 AM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: Maarten Broekman <maarten.broekman@gmail.com>
Subject: Re: [clamav-users] Amazon/SpoofedDomain FP
 
That's indicating that there is a link in the email that's displaying "www.americanexpress.com" but is actually going to "www.amazonbusiness.com". It's hard to help without seeing the original email code.

On Thu, Mar 17, 2022 at 12:55 PM Alex via clamav-users <clamav-users@lists.clamav.net> wrote:
Hi,
The link description is a URL and apparently doesn't match the link
itself, resulting in email from Amazon Business being marked as
malicious. Do I just add this to some kind of allow/bypass list?

How do I go about doing that?

$ clamscan -v amazon-fp.eml
Scanning /home/alex/quarantine/amazon-fp.eml
LibClamAV info: Suspicious link found!
LibClamAV info:   Real URL:    https://www.amazonbusiness.com
LibClamAV info:   Display URL: www.americanexpress.com
/root/quarantine/amazon-fp.eml: Heuristics.Phishing.Email.SpoofedDomain FOUND

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml