This phish typically originates from a non-Cornell account. The sender may appear as "Cornell.edu | eNotice Ticket <[user]@hakoconstruction.com>". The link within directs to a fake login page. If you entered your credentials into the page, change your NetID password immediately at https://netid.cornell.edu.