IMAP (Internet message access protocol) is an authentication protocol enabling an account to be accessed from multiple devices. This is often used by desktop and mobile phone email clients to retrieve email from the email server.
No additonal layer of protection is possible with multi-factor authentication. IMAP support is “on” by default on Office 365 and G Suite making them vulerable for password-spraying attacks.
Password-spraying attacks means to leave a large number of usernames and combining them with a single password. which look like isolated failed logins.
Read more about this topic at: https://www.helpnetsecurity.com/2019/03/20/imap-based-password-spraying/