- Experts warn the emails sent with sensitive data is always delivered unacysed, and no one is informed
- Microsoft 365 sends an email in raw text when encryption fails, without alerting the user at all
- Google Workspace still uses TLS 1.0 and 1.1 without security without warning sender or rejecting messages
Most users assume that emails sent via the cloud services are encrypted and secure by default, but it may not always be the case, said new research.
A Paubox report revealed that Microsoft 365 and Google Workspace Mishandle these failures in a way that leaves the messages exposed, without notifying the sender or saving the failure.
“The use of obsolete encryption offers a false feeling of security because it seems that sensitive data is protected, even if it is not really the case,” said Paubox.
The default parameters quietly undermines encryption
The problem is not only a technical edge case; It follows from the way these platforms are designed to operate under common conditions.
Google Workspace, the report noted, will fall back to the delivery of messages using TLS 1.0 or 1.1 if the reception server only supports these obsolete protocols.
Microsoft 365 refuses to use TLS depreciated, but instead of bouncing the email or alerting the sender, he sends the message in raw text.
In both cases, the email is delivered and no warning is issued.
These behaviors have serious risk of compliance, as in 2024, Microsoft 365 represented 43% of the violations of e-mails related to health care.
Meanwhile, 31.1% of raped health entities have had TLS configuration errors, despite many of these organizations using “TLS force” parameters to meet compliance requirements.
But as Paubox notes, TLS forcing does not guarantee encryption using secure versions like TLS 1.2 or 1.3, and fails silently when these conditions are not met.
The consequences of silent encryption failures are large -scale – health care providers regularly send protected health information (PHI) by e -mail, assuming tools like Microsoft 365 and Google Workspace offer solid protections.
In reality, no platform applies a modern encryption when failures occur, and the two are likely to violate the guarantees of HIPAA without detection.
Federal directives, including those of NSA in the United States, have long warned of TLS 1.0 and 1.1 due to vulnerabilities and risk demotion.
However, Google always allows delivery on these protocols, while Microsoft sends unacyed emails without reporting the problem.
The two paths lead to invisible compliance failures – in a documented violation, Solara Medical Supplies paid more than $ 12 million after non -encrypted e -mails exposed more than 114,000 patient files.
Cases like this show why even the best FWAAS or ZTNA solution must operate in concert with visible and enforceable encryption policies on all communication channels.
“Confidence without clarity is what makes organizations rape,” concluded Paubox.
