A hacking group linked to Iran could be behind an attack which targeted dozens of universities in 14 countries including the UK in an attempt to steal student credentials.
Researchers from the Secureworks Counter Threat Unit (CTU) discovered spoof URL pages for several universities, which would ask victims to enter their login details before bouncing them to their institution's correct address.
Victims would be sent the spoof URL through an email appearing to ask them to log in.
In some cases the students were automatically logged in, but in others they had to enter a username and password again.
The spoof domains were targeting the university's online library systems in an attempt to gain access to these resources.
Researchers have been sent some of the emails, but do not know how many students may have clicked through, or how much information was eventually taken by hackers.
Rafe Pilling, a senior researcher for CTU, told Sky News it follows a very similar case in which nine Iranian nationals were charged with cyber theft in March.
The group, called Cobalt Dickens, shares infrastructure with the perpetrators of this new attack. CTU analysis suggests they could be behind this attack too.
Mr Pilling said: "When that happened the estimated damage to universities was $3.4bn (£2.6bn).
"These are paid for resources which they are either looking to resell or otherwise monetise.
"This is an ongoing threat, particularly because there was an indictment before. It is not necessarily the named people on that indictment, but this has continued and it doesn't seem to have been sufficient deterrent to make anyone stop.
"We may have disrupted it but universities should remain vigilant to this and make staff and students aware."
He added that CTU would continue to monitor the situation.
Researchers found 16 spoof domains targeting 76 universities in 14 countries including the USA, Australia, Canada, China, Japan and Switzerland.
In a statement, CTU said: "Universities are attractive targets for threat actors interested in obtaining intellectual property.
More from Cyberattacks
"In addition to being more difficult to secure than heavily regulated finance or healthcare organisations, universities are known to develop cutting-edge research and can attract global researchers and students."
Many of the spoof domains were registered between May and August, with the most recent one registered on 19 August.