- Experts warned
- Microsoft 365 sends email to plain text when the encryption fails, absolutely without alerting the user
- Google Western Still uses unsafe TLS 1.0 and 1.1, without warning or without rejecting messages
Most users believe that email defaults sent through cloud services are encrypted and safe, but this may not always be the case, new research has claimed.
A report from Pobox Microsoft 365 and Google found in the workplace, both inspired these failures in ways that without informing the sender or exposing messages without logging in to failure.
“Using obsolete encryption provides a wrong feeling of protection because it seems as if sensitive data is preserved, even though it is not really,” said Pbox.
Default settings silently weaken encryption
The problem is not just a technical edge case; This stems from how these platforms are designed to operate under normal conditions.
Google will fall back to convey the workpiece, found, using TLS 1.0 or 1.1 if the receiving server only supports those old protocols.
Microsoft 365 refuses to use TLS, but instead of bouncing the email or alerting the sender, it sends the message to a plain text.
In both cases, the email is distributed, and no warnings are issued.
These behavior pose a serious compliance risk, as in 2024, Microsoft 365 was responsible for email violations related to 43% healthcare.
Meanwhile, 31.1% violated healthcare institutions had misunderstood TLS despite many of these organizations using “Force TLS” settings to meet compliance requirements.
But as Paubox notes, forcing TLS does not guarantee encryption using safe versions such as TLS 1.2 or 1.3, and those situations fails quietly when not met.
The results of mute encryption failures are far -reaching – healthcare provider regularly sends protected health information (PHI) on email, providing strong protection, assuming devices such as Microsoft 365 and Google workspace.
In fact, neither the platform failures apply modern encryption, and both are at risk of violating safety measures without detection.
Federal guidelines, including NSA people in the US, have long warned against TLS 1.0 and 1.1 due to weaknesses and downgrade risks.
Nevertheless, Google still allows delivery on those protocols, while Microsoft sends an unnovated email without flagging the issue.
Both paths lead to invisible compliance failures – in a documented violation, Solara Medical Supply paid more than $ 12 million after unnovated emails exposed to more than 114,000 patients.
Such cases show why the best FWAAS or ZTNA solution should also work in concert with visible, applied encryption policies in all communication channels.
“Without clarity, there is confidence that the organizations get violated,” the pobox concluded.
