Those who think passwords stored in Outlook are safe for accessing IMAP accounts should think again. Microsoft developers store passwords for accessing Outlook IMAP accounts in the registry.
The codes are indeed encrypted with DAPI, but can be decrypted in the system with an API call. This approach is used by tools (see at the end of the post) to determine the password.
For example, the key is:
HKLM\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9898CFF0885468d3B88A99567B2A6676
A simple call to the CryptUnprotectData() API can decrypt this value from the registry.
Wait, it gets even more interesting:
Η hidden memory (cache) του Teams full-client αποθηκεύει επίσης μη κρυπτογραφημένους κωδικούς στην κρυφή μνήμη του προγράμματος browsing. The same is true for the Teams web client, which stores conversations unencrypted in the browser cache.
What we know about DPAPI
The acronym DPAPI stands for Data Protection API, and is a simple cryptographic application programming interface available as a built-in component of Windows 2000 and later Microsoft Windows operating systems.
In theory, the Data Protection API can symmetrically encrypt any type of data. In practice, it is mainly used in the Windows operating system for symmetric encryption of asymmetric private keys.
DPAPI does not store persistent data. It just takes plain text and returns it encrypted (or vice versa). THE better safety of DPAPI depends on the ability of the Windows operating system to protect the master key and RSA private keys from attacks. This is highly dependent on the security of the end user's credentials in most attack scenarios. The master key for encryption and decryption is derived from the user's password using the PBKDF2 function.
From Microsoft there is this publication for DPAPI but there is also the book Threat hunters which gives more details.
If you are interested, the tool DataProtectionDecryptor by Nirsoft uses DPAPI to decrypt passwords.