Mostly, there are so many IPs those attackers can use. When I look at the smtp/imap failed authentication attempt logs, the patterns are fairly obvious. Different IPs trying similar looking emails in a sequences. I think in most cases where banning the IP, even only for 24h, will do the trick (and /64 block for v6).

Also there is something to be said for generating the password yourself and sending it in clear to your users by email. The reality is that if the attacker has access to your client’s emails, it’s game over anyway because of password recovery. And this way you enforce that your clients will not reuse a password, and will have a strong non brute forceable password. And if you get hacked, at least you didn’t leak that precious password your users reused everywhere else. The only issue I can think of is that’s because smtp is the most neglected protocol of the internet, there is no way to ensure the email will be encrypted in transit.