[mnw21cam]

You're looking at it wrong. As an email host, you surely have an agreement with your clients that they will keep their credentials secure and not share them with anyone. If you discover that they have, then they have wilfully compromised the security of the service you are providing, and you should immediately invalidate their credentials and contact them out of band to explain that you have acted to protect their account.

[dtech]

The credentials only give access to the users data so they damn well should be free to give those credentials/data* to whomever they please. Keyword give, Microsoft shouldn't build a de-facto keylogger.

* Ideally they should be separated like through OAuth, but that isn't an option for an ancient standard like IMAP.

[bogantech]

> As an email host, you surely have an agreement with your clients that they will keep their credentials secure and not share them with anyone

Why would they? The users can do whatever the hell they want with their credentials