You usually keep old mails around that malware can then silently forward, this is a problem for unencrypted data. To authenticate through email, even if possible, there are hoops the attacker would need to go through and you'd likely be notified of e.g. a password reset mail