One way to do phishing attacks is to inject some payload in an automated mailing so malicious content comes from a valid email address. I wonder if they're testing whatever mail entry they can find with addresses they have access to in attempt to find something usable?