It is a spoofing attack, where a malicious party impersonates as the university and Rector with an aim of causing damage or gaining money. The university's IT Services department confirms that the Rector's e-mail account has not been hijacked.
An archive file hinnapakkumine-pdf.zip, containing hinnapakkumine-pdf.exe, has been attached to the e-mail. This is malware known as LokiBot used to steal sensitive information such as passwords, cryptocurrency wallets and other credentials.
CERT-EE has already been notified. The sender's IP has been blocked and the e-mails will no longer reach the university's mailboxes. The university's domain computers are in order and none of them is infected, no events indicating malware infection were detected in the firewall logs, but external parties may still receive the e-mails. The incident is being dealt with.