Thanks Vasil. I added some feedback to the Safe Attachment Docs page asking for what occurs, and the documentation has been updated with this:
If a file attachment is encrypted or password protected, it can't be examined by Safe Attachments. The message with the attachment will be delivered, and the recipient receives no warning that the file hasn't been scanned by Safe Attachments.

This is not unique to EOP or MDO. Most gateway solutions will not tackle encryption, and encryption can be as little as a write-protect or cell protection password on a document or worksheet. You are dependent on end-point protection to scan the attachment once the recipient has opened it.

For rules, your predicate is "includes an attachment that is password protected" and your actions can be to quarantine, redirect or stamp the e-mail with a disclaimer. One possibility is to prepend the message with the text "This mail contains encrypted attachments. Are you expecting encrypted content from this sender? Check that {your anti-virus} is up to date before opening these attachments, or contact {your support desk} for advice." Needless to say, you should also have a fairly aggressive common attachment types list to keep most dubious attachment types out anyway.