[yunohn]

There’s a big difference between password reset rules, and giving third-parties access to emails and calendar.

There is nothing draconian about restricting IMAP - any app could exfiltrate confidential emails once granted access. It’s a very sane rule to disallow everything except webmail or first party apps.

[beprogrammed]

It's a terrible process for the users. And as we can see what did it get them, a third party logging into there webmail.

The service is protected with a username and password, didn't matter if it was IMAP or webmail.

[analognoise]

An employee who redirects company emails to get around a security rule becomes an ex-employee very quickly.

[yunohn]

Of course it does matter! Webmail is quite restricted and optimized for viewing and replying to emails. IMAP is great for that, while also facilitating exporting (exfiltrating) the entire mailbox.