A bit of both. Many people will use url shortener or mask the url with a very similar looking one. Some companies(like the one I work at) have a url filtering service in our cloud outlook, which is largely useful, but it mostly obfuscates the url into hundreds of characters.
Then there's very targeted spear phishing attacks as well. And websites that are made to look virtually identical to the known site to capture credentials.
There's also numerous, large data breaches, some of which captures user and password data. If that isn't encrypted, then that's another source of guessable passwords.
You have man in the middle and supply chain attacks, where a hacker adds a vulnerability to a popular product or service (solarwinds was somewhat recent) which is used by companies large and small.
Then there's places that don't require mfa as well.
And all of those are tech based and not including rogue employees, blackmail, etc
Source: been in IT for 15 years and sat through plenty of cyber security presentation, change management calls, and listen to net sec podcasts that talk about it every few days.