While that’s true, but there’s no indication of Microsoft brute forcing with million of combinations.
The article you link says Microsoft is only trying a few obvious passwords: the filename, and words found in the plaintext message.
Proper encryption isn’t just about using a strong algorithm. It’s also about proper key management, ie not sending the password in the clear via the same channel as the encrypted files.
China’s really being a champion of peace and stability /s