- Experts warn E emails sent with sensitive data are still being delivered unencrypted and no one is notified
- Microsoft 365 sends E -Mail in plain text when encryption fails, without warn the user at all
- Google Workspace is still using uncertain TLS 1.0 and 1.1 without warning senders or rejecting messages
Most users assume that E emails sent through cloud services are encrypted and secure by default, but this may not always be the case, new research has claimed.
A report from Pubox found Microsoft 365 and Google Workspace both abuse these errors in ways that leave messages postponed, without notifying the sender or logging the error.
“The use of outdated encryption gives a false sense of security because it seems that sensitive data is protected, even if it really isn’t,” said Pubox.
Default Settings undermining quiet encryption
The problem is not just a technical edge box; It stems from how these platforms are designed to work under common conditions.
Google Workspace found the report will fall back to deliver messages using TLS 1.0 or 1.1 if the receiving server only supports these outdated protocols.
Microsoft 365 refuses to use outdated TLS, but instead of jumping the e -mail or warning the sender, it sends the message in plain text.
In both cases, the E email is delivered and no warning is issued.
These behaviors constitute serious compliance risks as Microsoft 365 made up 43% of health-related email violations in 2024.
Meanwhile, 31.1% of the violated health units had TLS -forking configurations despite many of these organizations using “Force TLS” settings to meet compliance requirements.
However, as Pubox notes, coercion does not guarantee the TLS encryption using safe versions such as TLS 1.2 or 1.3, and fails silently when these conditions are not met.
The consequences of silent encryption errors are far -reaching – Healthcare providers are routinely protecting protected health information (phi) of e -mail, subject to tools such as Microsoft 365 and Google Workspace offers strong protection.
In reality, none of the platform enforces modern encryption when errors occur, and both risk violating HIPAA protection measures without detection.
Federal lines, including those from the NSA in the United States, have long warned against TLS 1.0 and 1.1 due to vulnerabilities and downgrade of risks.
Still, Google still allows delivery over these protocols, while Microsoft does not send -encrypted E emails without marking the problem.
Both paths lead to invisible compliance errors -in a documented violation, Solara Medical Supplies paid more than $ 12 million after non -encrypted E emails postponed over 114,000 patient records.
Cases like this show why even the best FWAAS or ZTNA solution should work with visible, enforceable encryption policies across all communication channels.
“Confidence without clarity is what gets organizations violated,” concluded Pubox.
