Researchers at PhishMe detected a malicious email campaign spreading Zeus.

In this ruse, attackers sent emails from within a compromised .edu domain – a tactic likely used to gain the trust of victims, a Friday blog post by PhishMe's Ronnie Tokazowski said.

“Most universities can be trusted to send legitimate emails, so their IP addresses don't make it onto vendor blacklists, and universities typically have faster Internet to accommodate the large number of students accessing the Web, streaming Netflix, and gaming online,” Tokazowsk wrote. He later noted that saboteurs may not have “directly attacked the university,” but may have compromised a system residing at the university.

PhishMe redacted the name of the U.S. university used in the campaign, but revealed that emails were made to look like payment confirmation correspondence. Zip files thought to contain the information, instead caused victims to install Zeus.