For an attacker to sniff an encrypted email in transit (a), the attacker can get it either:
i) In a targeted Man-in-the-Middle attack
ii) As a systemic attacker (e.g. NSA, GCHQ, Compromised ISP, etc)
A couple things make this difficult:
- Many encrypted emails using S/MIME are sent within a corporate enterprise and never leave the perimeter. (You'd have to breach the corporate perimeter)
- Emails are often protected via TLS in transit. (either need to break TLS or attack the endpoint)