Microsoft 365 and Google Workspace could put sensitive data at risk because of a blind spot in default email behavior
Google and Microsoft fail in different ways, but both fail

- Experts warn emails sent with sensitive data are still getting delivered unencrypted, and no one gets notified
- Microsoft 365 sends email in plain text when encryption fails, without alerting the user at all
- Google Workspace still uses insecure TLS 1.0 and 1.1 without warning senders or rejecting messages
Most users assume that emails sent through cloud services are encrypted and secure by default, but this might not always be the case, new research has claimed.
A report from Paubox found Microsoft 365 and Google Workspace both mishandle these failures in ways that leave messages exposed, without notifying the sender or logging the failure.
“Using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected, even though it really is not,” Paubox said.
Default settings quietly undermine encryption
The problem isn’t just a technical edge case; it stems from how these platforms are designed to operate under common conditions.
Google Workspace, the report found, will fall back to delivering messages using TLS 1.0 or 1.1 if the receiving server only supports those outdated protocols.
Microsoft 365 refuses to use deprecated TLS, but instead of bouncing the email or alerting the sender, it sends the message in plain text.
In both cases, the email is delivered, and no warning is issued.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
These behaviors pose serious compliance risks, as in 2024, Microsoft 365 accounted for 43% of healthcare-related email breaches.
Meanwhile, 31.1% of breached healthcare entities had TLS misconfigurations, despite many of these organizations using “force TLS” settings to meet compliance requirements.
But as Paubox notes, forcing TLS does not guarantee encryption using secure versions like TLS 1.2 or 1.3, and fails silently when those conditions are not met.
The consequences of silent encryption failures are far-reaching - healthcare providers routinely send Protected Health Information (PHI) over email, assuming tools like Microsoft 365 and Google Workspace offer strong protections.
In reality, neither platform enforces modern encryption when failures occur, and both risk violating HIPAA safeguards without detection.
Federal guidelines, including those from the NSA in the US, have long warned against TLS 1.0 and 1.1 due to vulnerabilities and downgrade risks.
Yet Google still allows delivery over those protocols, while Microsoft sends unencrypted emails without flagging the issue.
Both paths lead to invisible compliance failures - in one documented breach, Solara Medical Supplies paid more than $12 million after unencrypted emails exposed over 114,000 patient records.
Cases like this show why even the best FWAAS or ZTNA solution must work in concert with visible, enforceable encryption policies across all communication channels.
“Confidence without clarity is what gets organizations breached,” Paubox concluded.
You might also like
- These are the best VPNs with antivirus that you can use right now
- Take a look at our pick of the best internet security suites available
- China-backed "LapDogs" hackers hijacked hundreds of devices

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.