Following on from an earlier question
on the security of Office 365 Message Encryption, I'm still not happy with my understanding of all aspects and hope that someone can enlighten me on the question of one-time passcodes.
Assuming that access to my email account and all storage points (local computer, servers) is not compromised I understand that my emails could still be vulnerable to interception during transmission. Anything sent using O365 message encryption should be safe from this. However, for the recipient, one of the choices for accessing the encrypted message is to request and sign in with a one-time passcode. This passcode is itself sent by email to the same account as the original message. While only valid for 15 minutes, I can't see why anyone in a position to intercept my emails couldn't also intercept the passcode and therefore use it to decrypt the message.
Do my assumptions make sense? Without knowing how one would actually go about intercepting emails I may be completely missing something.
Thanks in advance for your expert advice.