- Specialists warn emails despatched with delicate knowledge are nonetheless getting delivered unencrypted, and nobody will get notified
- Microsoft 365 sends e-mail in plain textual content when encryption fails, with out alerting the consumer in any respect
- Google Workspace nonetheless makes use of insecure TLS 1.0 and 1.1 with out warning senders or rejecting messages
Most customers assume that emails despatched via cloud companies are encrypted and safe by default, however this may not all the time be the case, new analysis has claimed.
A report from Paubox discovered Microsoft 365 and Google Workspace each mishandle these failures in ways in which go away messages uncovered, with out notifying the sender or logging the failure.
“Utilizing out of date encryption supplies a false sense of safety as a result of it appears as if delicate knowledge is protected, regardless that it’s really not,” Paubox mentioned.
Default settings quietly undermine encryption
The issue isn’t only a technical edge case; it stems from how these platforms are designed to function below widespread circumstances.
Google Workspace, the report discovered, will fall again to delivering messages utilizing TLS 1.0 or 1.1 if the receiving server solely helps these outdated protocols.
Microsoft 365 refuses to make use of deprecated TLS, however as a substitute of bouncing the e-mail or alerting the sender, it sends the message in plain textual content.
In each circumstances, the e-mail is delivered, and no warning is issued.
These behaviors pose severe compliance dangers, as in 2024, Microsoft 365 accounted for 43% of healthcare-related e-mail breaches.
In the meantime, 31.1% of breached healthcare entities had TLS misconfigurations, regardless of many of those organizations utilizing “power TLS” settings to satisfy compliance necessities.
However as Paubox notes, forcing TLS doesn’t assure encryption utilizing safe variations like TLS 1.2 or 1.3, and fails silently when these circumstances should not met.
The implications of silent encryption failures are far-reaching – healthcare suppliers routinely ship Protected Well being Info (PHI) over e-mail, assuming instruments like Microsoft 365 and Google Workspace supply sturdy protections.
In actuality, neither platform enforces trendy encryption when failures happen, and each danger violating HIPAA safeguards with out detection.
Federal pointers, together with these from the NSA within the US, have lengthy warned towards TLS 1.0 and 1.1 as a result of vulnerabilities and downgrade dangers.
But Google nonetheless permits supply over these protocols, whereas Microsoft sends unencrypted emails with out flagging the difficulty.
Each paths result in invisible compliance failures – in a single documented breach, Solara Medical Provides paid greater than $12 million after unencrypted emails uncovered over 114,000 affected person information.
Circumstances like this present why even the very best FWAAS or ZTNA answer should work in live performance with seen, enforceable encryption insurance policies throughout all communication channels.
“Confidence with out readability is what will get organizations breached,” Paubox concluded.
