If the target was not actively trying to log into GOOD at that exact moment, why would they treat this as anything other than one of a phishing attempt or spam?

Because target WAS trying to login to BAD.

Imagine a "free porn, login here" website, when you put in your gmail address it triggers the onetime code from gmail (assuming it did that type of login) - thousands would give it up for the free porn.