We are seeing a ton of email account compromises that are from known sources. In other words, a vendor, a customer, or an acquaintance, gets compromised. Frequently, the attacker will reply to an existing email thread from the known source to you and they will add an attachment or a link. In that latter scenario, the link is typically leading to a fake credentials page. This type of attack is so common that we're seeing it several times per week. It will only get worse.
With the credentials attack, two-factor authentication (2fa) will typically stop this in its tracks. You can steal credentials all day long but bypassing 2fa is a much bigger challenge. And honestly, it's not worth it to the attacker unless the victim has been specifically targeted -- typically not the case.