- Experts warn emails sent with sensitive data are still getting delivered unencrypted, and no one gets notified
- Microsoft 365 sends email in plain text when encryption fails, without alerting the user at all
- Google Workspace still uses insecure TLS 1.0 and 1.1 without warning senders or rejecting messages
Most users assume that emails sent through cloud services are encrypted and secure by default, but this might not always be the case, new research has claimed.
A report from Paubox found Microsoft 365 and Google Workspace both mishandle these failures in ways that leave messages exposed, without notifying the sender or logging the failure.
“Using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected, even though it really is not,” Paubox said.
Default settings quietly undermine encryption
The problem isn’t just a technical edge case; it stems from how these platforms are designed to operate under common conditions.
Google Workspace, the report found, will fall back to delivering messages using TLS 1.0 or 1.1 if the receiving server only supports those outdated protocols.
Microsoft 365 refuses to use deprecated TLS, but instead of bouncing the email or alerting the sender, it sends the message in plain text.
In both cases, the email is delivered, and no warning is issued.
These behaviors pose serious compliance risks, as in 2024, Microsoft 365 accounted for 43% of healthcare-related email breaches.
Meanwhile, 31.1% of breached healthcare entities had TLS misconfigurations, despite many of these organizations using “force TLS” settings to meet compliance requirements.
But as Paubox notes, forcing TLS does not guarantee encryption using secure versions like TLS 1.2 or 1.3, and fails silently when those conditions are not met.
The consequences of silent encryption failures are far-reaching – healthcare providers routinely send Protected Health Information (PHI) over email, assuming tools like Microsoft 365 and Google Workspace offer strong protections.
In reality, neither platform enforces modern encryption when failures occur, and both risk violating HIPAA safeguards without detection.
Federal guidelines, including those from the NSA in the US, have long warned against TLS 1.0 and 1.1 due to vulnerabilities and downgrade risks.
Yet Google still allows delivery over those protocols, while Microsoft sends unencrypted emails without flagging the issue.
Both paths lead to invisible compliance failures – in one documented breach, Solara Medical Supplies paid more than $12 million after unencrypted emails exposed over 114,000 patient records.
Cases like this show why even the best FWAAS or ZTNA solution must work in concert with visible, enforceable encryption policies across all communication channels.
“Confidence without clarity is what gets organizations breached,” Paubox concluded.
Leave a comment