::
Hilariously enough the URL is legit, it just dumps you at the page for downloading the app instead of Trezor’s usual homepage. But there’s absolutely no reason why Trezor would email you about logging in from somewhere other than where you are, because there is no username/password login at all to the website. Like, even if you wanted to, there isn’t an option to log in or to create a login.
So yeah, as you already know, it’s a phishing email. The scammer is probably hoping you go to the link, can’t figure out what you’re supposed to do to secure your (non-existent) account, and will reply to the email. As for your email getting leaked, a lot of times these scammers just use bots and shotgun email lists stolen from elsewhere or just random emails. I wouldn’t worry too much about how they got the address. But sometimes they will include tracking pixels in the emails so they can follow up with other scams. So if you’re ever not 100% sure about an email before you open it, try to open in it with images and any sort of scripting blocked, or download the raw message data and check the headers first.