Panzer, this reminds me of an episode of the podcast “reply all” where they examined how easy it is to phish someone by making examples out of folks in their office. In these instances I think they used email addresses that were nearly identical (one letter off or so), so that they appeared familiar to the recipient, like you’re saying.
This website is interesting:
Allows you to enter an email account (ie, your own) to see if it was involved in a data breach. Some of yall might be surprised