Rainbowrainbow table attack is one way…
Or “hacked” databases , not always databases are stolen; always have alternative email for unimportant stuff.

That is a possibility. If someone has an easy-to-guess email password, or their computer gets a virus, a bad guy could get their hands on their contact lists. Either the actual contact list, or just dump the mailbox pulling names and addresses out of emails.

Of course there are plenty of other ways. Phones infected with a virus might dump their contact list. Guessing a Facebook password… Web sites with family tree information… there’s all sorts of ways to find this information out. All they need is a name you’ll trust.

Of course the email address isn’t right. They want you to hit “Reply” and have what you type go to the bad guy, not your actual brother-in-law. That would defeat the purpose of faking his name trying to take advantage of your trust.

This is exactly what spear phishing and social engineering are. It’s not all that difficult for an attacker to figure out who your brother in law is with a couple of Google searches. If the email is spoofed then it’s more than likely his email isn’t compromised. Otherwise they’d use his actual email account and not a spoofed email address

All those data leaks you hear about? They get compiled into massive databases and used for this purpose. You see two people in the same state with the same last name? Probably know each other, so spoof emails from one to another. Get someone’s contact list from a Facebook dump or phone malware? Add those connections to the database! If they don’t know each other, no big deal since you’re sending out a few million of them anyway.

The Equifax databreach was a gold mine for this — All that personal information that the credit agencies collect on everyone — addresses, bank accounts, employment history, cosigners, etc. All in one convenient location, and it’s not that hard to build these kinds of connections from that data that can then be used for whatever scam they want to try.

Email addresses are not generally considered private or secure information, and as such are relatively easy to scrape from various groups/forums/websites/etc. A compromised machine may help compile those lists, but it’s generally not necessary.

So then you can end up with many different groups of email addresses from various sources. What the spammers can then do if they wish is to send out their spam to all of the groups, but have their software pick one name out of each group to send to that group, thus increasing the chance that you “recognize” the name and thus give it a little more legitimacy. You notice it when that tactic works, but don’t notice it when it’s from someone you don’t know who happened to have an account on a gaming forum you joined a few years back but have stopped going to.

They have scraped “association lists” from things like Facebook (if you don’t have you or one of your friends doesn’t have their Friends list private, for example). And there are other lists of e-mail addresses with matching names that your friends are listed on. And finally, there are lists of e-mail addresses on e-mail servers that don’t require credentials to send e-mails (the spoofing address).

Then they can just brute force something like this:
Your Name (with spoofed return e-mail) to Your Friend (with their actual matched e-mail).

They’ll send one out to every person on your association list that has a matched e-mail address.

When a recipient gets the e-mail, it will look like you sent it to them, and it includes a vague but plausible subject and message (“Hey check out these photos!” — I got one like this just this morning.)

But if you look at the actual sender e-mail address, it won’t have anything to do with your friend’s name, it will be somebody else. And they don’t want a reply, they want you to open the file or go to the link, to run some malware.