"This is true of both OAuth and IMAP workflows but is most visible when authenticating with a third-party IMAP server. In this case, the Outlook client takes the IMAP credentials provided by your email provider to access the application and transfers them directly to Microsoft's cloud over TLS. We could reproduce this by setting up a transparent man-in-the-middle proxy between the internet and the Outlook Client to intercept encrypted traffic. In the screenshot below, our app password generated from a third-party email provider is shared and stored directly with Microsoft's servers." - Scary 😨.