Well.. I have a theory. Maybe the threat actors are sending the recovery email with the hopes that the target does not engage. Then, the threat actor can indicate that they "no longer have access to this email address" to force recovery to an alternate address. Then, perhaps they have gained access to some people's old alternate email addresses either through credential stuffing or recreating deleted email accounts. If so, the TA can finish the reset and take over the account.