Microsoft 365 and Google Workspace could put sensitive data at risk because of a blind spot in default email behavior

Back view of a man using a laptop with Windows 11's Microsoft Store app open
Windows 11 met de Microsoft Store-app geopend (Image credit: Foxy burrow / Shutterstock / Microsoft)

  • Experts warn emails sent with sensitive data are still getting delivered unencrypted, and no one gets notified
  • Microsoft 365 sends email in plain text when encryption fails, without alerting the user at all
  • Google Workspace still uses insecure TLS 1.0 and 1.1 without warning senders or rejecting messages

Most users assume that emails sent through cloud services are encrypted and secure by default, but this might not always be the case, new research has claimed.

A report from Paubox found Microsoft 365 and Google Workspace both mishandle these failures in ways that leave messages exposed, without notifying the sender or logging the failure.

“Using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected, even though it really is not,” Paubox said.

Default settings quietly undermine encryption

The problem isn’t just a technical edge case; it stems from how these platforms are designed to operate under common conditions.

Google Workspace, the report found, will fall back to delivering messages using TLS 1.0 or 1.1 if the receiving server only supports those outdated protocols.

Microsoft 365 refuses to use deprecated TLS, but instead of bouncing the email or alerting the sender, it sends the message in plain text.

In both cases, the email is delivered, and no warning is issued.

These behaviors pose serious compliance risks, as in 2024, Microsoft 365 accounted for 43% of healthcare-related email breaches.

Meanwhile, 31.1% of breached healthcare entities had TLS misconfigurations, despite many of these organizations using “force TLS” settings to meet compliance requirements.

But as Paubox notes, forcing TLS does not guarantee encryption using secure versions like TLS 1.2 or 1.3, and fails silently when those conditions are not met.

The consequences of silent encryption failures are far-reaching - healthcare providers routinely send Protected Health Information (PHI) over email, assuming tools like Microsoft 365 and Google Workspace offer strong protections.

In reality, neither platform enforces modern encryption when failures occur, and both risk violating HIPAA safeguards without detection.

Federal guidelines, including those from the NSA in the US, have long warned against TLS 1.0 and 1.1 due to vulnerabilities and downgrade risks.

Yet Google still allows delivery over those protocols, while Microsoft sends unencrypted emails without flagging the issue.

Both paths lead to invisible compliance failures - in one documented breach, Solara Medical Supplies paid more than $12 million after unencrypted emails exposed over 114,000 patient records.

Cases like this show why even the best FWAAS or ZTNA solution must work in concert with visible, enforceable encryption policies across all communication channels.

“Confidence without clarity is what gets organizations breached,” Paubox concluded.

You might also like

TOPICS
Efosa Udinmwen
Freelance Journalist

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.