The emails are user facing. So if, say, the ISP were to detect Microsoft servers connecting and serve them back a mailbox with a single email in it instead of the user's real mailbox, then the user would open Outlook and see just a single message. Ideally non-threateningly titled "MICROSOFT HAS STOLEN YOUR PASSWORD" and containing clear instructions on how to switch back to direct IMAP.