If the client is compromised then the mitm can be performed on the client itself. And barring that wouldn't the cert or the ca have to be compromised in order to intercept the message at all?
If the original message is delivered via SMTP, it's supposedly fairly easy to force unencrypted SMTP if you have a MITM. Then you can just rewrite the URL in the message to a domain for which you have a valid cert, or rewrite it to use http instead of https and intercept/proxy the http requests.