Don't blame the fgt for an improper policy. Block uncategorized websites. Will it create more work for you? Most certainly it will but, these things this should get blocked. It is near an impossible task to classify as they come up. So you can expect to see a lot sites. This will really scale up as we move into election season in the US as local political sites will start popping up all over the place.
For the original question 1), you can use Static URL Filter with regex. Or if all at cloudfront.net to be blocked, just use a simple filter "cloudfront.net". In case you want to use regex, be careful not block other legit URLs simply because there is a same pattern in the URL. If you use too short one like "ch.*88", it matches many others like "www.schwab.com/archive/1988/..".
The best overall advise IMO is user education - those fake tech support scams mostly always rely heavily on social engineering, be it via email and/or voice communication and usually involves getting the "victim" to download something onto their computer.
As for why the fgt isn't catching it may depend on a number of factors, starting with how are you monitoring/scanning/protecting your users. Is the Fortigate performing full SSL content inspection or only security certificate inspection? Is the fgt configured to look up both the host name and IP address (e.g. Rate URLs by domain and IP Address)? How are sites that return "rating error" handled - is the fgt configured to drop that connection or allow the connection to go through? Is the fgt configured to allow or block remote (.e.g. VNC) connections? Is the fgt configured to allow endpoint connections to IP addresses in foreign countries?
Cloudfront.net is seen by the fgt as a content server, so it may be a bit difficult to differentiate legit traffic from illicit traffic. You can try URL web filtering, using either a wild card or regex and that's assuming the fgt is configured for full SSL content inspection.
To all the said already (check you have deep SSL inspection, try to set category etc) I'd strongly suggest placing a complain with the Amazon AWS, as cloudfront.net is their CDN for hosting user's content, and they are very effective in abuse handling. Given that you see a recurring pattern in the phishers URLs the chance is high they all created by the same author, and if so, Amazon blocking their account would remove all their phishing sites and assets in one go.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.