> you probably didn't intend Microsoft to have your credentials for
But you just gave Microsoft your credentials! How could you not intend that?
They're pretty clear about this: if you set up a 3rd party IMAP account, then yeah, credentials get used. If you set up an OAUTH2-capable account, then it uses that instead. That's why it's a lie, because of course if c't has some custom bespoke IMAP server, it's going to need credentials, and the user is going to intentionally hand them over so it can retrieve the mail.
I don't think it's clear at all if you're using the "New Outlook" app as opposed to web client. Traditionally, desktop email clients would handle credentials by directly using them to log in, not by sending them to a web service that logs in on their behalf.
It's one thing to give the locally installed instance of the Outlook client your password, it's another for Outlook to send it in plain text to Microsoft's servers.
But you just gave Microsoft your credentials! How could you not intend that?
They're pretty clear about this: if you set up a 3rd party IMAP account, then yeah, credentials get used. If you set up an OAUTH2-capable account, then it uses that instead. That's why it's a lie, because of course if c't has some custom bespoke IMAP server, it's going to need credentials, and the user is going to intentionally hand them over so it can retrieve the mail.