They turned off the ability to use smtp pop3 or imap over cleartext a while ago. They only expose it over tls wrapped ports. Your client wouldn't even be able to get as far as sending it.
Also forces SASL which is tldr for echo 'username password'|base64 before sending it. Once you enable 2fa for the account, you can recreate an application password. Funnily enough my old password was stronger than a 16 char string : / all in all they just force reduced password length. Whilst forcing sms verification allowing account take over from sim swapping :'( For the record this is sent from mutt using app password without oauth. --
