On the victim’s end, the email client first decrypts the second part and then combines all three into one email. It then converts everything into an URL form starting with the hacker’s address and sends a request to that URL to retrieve the nonexistent image. The hacker receives the image request, which contains the entire decrypted message.
CBC/CFB gadget attacks which resides within the PGP and S/MIME specifications, affecting all email clients. In this case, the attacker locates the first block of encrypted plaintext in the stolen email and adds a fake block filled with zeroes. The attacker then injects image tags into the encrypted plaintext, creating a single encrypted body part. When the victim’s client opens the message, the plaintext is exposed to the hacker.
The Efail report lists additional steps users can take to reduce the likelihood of falling prey to encryption attacks — namely, decrypting S/Mime and PGP outside email clients in a separate application and disabling HTML rendering altogether. But the researchers cautioned that since attacks could become increasingly sophisticated in future, strategies which bolster OpenPGP and S/Mime standards are required for a long term fix.