You have to send the way to decrypt data via a different method than your send the encrypted data, otherwise the person who can intercept one can intercept the other.
If you email me a file which needs a password, and then the password, that's pointless, you have to phone me or post me the password.
In MS's case the way you see the document is to login to MS's servers using your email account (so an attacker could send a password reset), or an emailed one time code (so an attacker can intercept and use it, either first, or if they can change the intercepted channel, not pass it on)
Good news: You can pay more to get phishing warnings in Office 365.... spooky