This phish typically originates from a non-Cornell email address. The sender may appear as "cornell Reports <[username]@icloud.com>". The email contains a .HTM attachment that displays a fake login form. Do not open the attachment nor reply to the sender. If you entered your credentials into the form, change your NetID password immediately.