The widespread assumption that emails sent via Microsoft 365 and Google Workspace are always fully encrypted and secure is deeply flawed, and recent research paints a troubling picture of silent failures, unclear policies, and significant risk to sensitive data in trusted enterprise environments.
Ask almost any IT manager or business user, and you’ll find a consistent belief: using leading cloud platforms like Microsoft 365 or Google Workspace means your email is automatically protected by the latest and greatest encryption. This confidence, however, is far from justified. In reality, both companies have implemented default settings and silent failover mechanisms that can leave emails completely unencrypted, with neither notification to the sender nor sufficient audit trails to flag the incident.
Despite these warnings, Google continues to deliver messages over these insecure channels, offering users a false sense of security that their emails are shielded by enterprise-class encryption.
In both instances, the recipient receives the message, but the sender remains completely in the dark regarding the true security status of their communication.
Yet, as illustrated by Paubox and corroborated by the aftermath of real-world breaches, “forcing TLS” on these major platforms does little to guarantee anything if the recipient’s server is not properly configured or only supports outdated protocols. Instead, emails either travel over insecure channels (Google) or in the clear (Microsoft)—and this all happens invisibly.
*
Details varied per incident but follow the highlighted trends.
Stories like Solara Medical Supplies—forced to pay over $12 million in settlements after over 114,000 patient records were exposed through unencrypted email—illustrate the true cost of misplaced trust in silent, invisible security failures.
Federal guidelines, such as those set out by the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST), have explicitly recommended against the use of TLS 1.0 or 1.1 since as early as 2019. Many regulatory frameworks now mandate TLS 1.2 or higher for compliance, making these silent fallbacks or plain-text deliveries a source of both legal and reputational risk.
However, the cost of convenience here is invisible risk—a ticking timebomb for both the individual sender and for entire organizations relying on these services for compliance and trust.
Worse, because the sender is never notified (and the organization may never know), breached entities can remain ignorant for weeks or months, compounding the regulatory fines and operational chaos once the breach comes to light.
But if the recipient’s server only supports outdated protocols, or is misconfigured, different things happen depending on the sender’s settings:
By silently falling back to very old TLS versions—or to plaintext entirely—email services expose untold volumes of sensitive information to interception at various points in the transport path, from ISPs to internal corporate networks or malicious intermediaries on the Internet at large.
However, as this research underscores, the design decisions made for convenience have immense hidden costs. By quietly failing open—delivering messages insecurely when encryption cannot be ensured—billions of sensitive communications are exposed to interception and regulation breaches without any warning.
The most troubling aspect is the lack of transparency: users and organizations simply do not know when their emails are at risk. This undermines not just data security, but also erodes user trust and jeopardizes regulatory standing.
Organizations must take ownership: verifying their mail flows, demanding vendor transparency, and refusing to rely solely on defaults. As the headline-grabbing breaches prove again and again, it is invisible risks—not the ones we see coming—that pose the greatest threat in enterprise security.
With attackers exploiting every blind spot, and compliance regulators increasing scrutiny with each breach, it has never been more important to understand—and address—the silent failures lurking within our most trusted communication tools. Only with vigilance, transparency, and proactive policy enforcement can organizations ensure that their most sensitive data is protected, not just most of the time, but every time.
Source: TechRadar Your emails might be going out unencrypted because Google and Microsoft didn’t bother to tell you
Unpacking Cloud Email Security: What Most Users Don’t Realize
Ask almost any IT manager or business user, and you’ll find a consistent belief: using leading cloud platforms like Microsoft 365 or Google Workspace means your email is automatically protected by the latest and greatest encryption. This confidence, however, is far from justified. In reality, both companies have implemented default settings and silent failover mechanisms that can leave emails completely unencrypted, with neither notification to the sender nor sufficient audit trails to flag the incident.The Dangerous Gap in Cloud Email Encryption
A recent report from security firm Paubox revealed a systemic problem in how these platforms handle encryption failures. Microsoft 365 and Google Workspace both mishandle email transmissions when encryption protocols are not properly supported by the recipient’s server—but they do so in different (and equally risky) ways.Google Workspace: Encryption Downgrade Without Notification
When Google Workspace attempts to send an email to a recipient server that does not support newer and more secure versions of Transport Layer Security (TLS), it quietly falls back to older, deprecated protocols—TLS 1.0 and 1.1—without alerting the sender. This fallback is particularly concerning because federal guidelines, including those from the NSA, have explicitly discouraged the use of TLS 1.0 and 1.1 for years due to their known vulnerabilities and susceptibility to downgrade attacks.Despite these warnings, Google continues to deliver messages over these insecure channels, offering users a false sense of security that their emails are shielded by enterprise-class encryption.
Microsoft 365: Plain Text Delivery in the Face of Failure
Microsoft 365, on the other hand, refuses to use deprecated versions of TLS (such as 1.0 or 1.1) when transmitting email. But instead of rejecting the message or alerting the sender that encryption was impossible, Microsoft 365 simply sends the message in plain, unencrypted text. Again, this is done silently—users receive no notification that sensitive information is being delivered over potentially compromised channels.In both instances, the recipient receives the message, but the sender remains completely in the dark regarding the true security status of their communication.
Silent Failures: A Ticking Compliance Timebomb
At the heart of this issue is the silent nature of the failure. There is no bounce-back message or even a background log entry that most users (or even IT staff) can readily access. For regulated industries—healthcare, finance, legal, government—this is more than a technical quirk; it is a catastrophic regulatory oversight just waiting to happen.Healthcare: A Sector Reeling from Unseen Risks
The Paubox research points out that, in 2024, Microsoft 365 accounted for a staggering 43% of healthcare-related email breaches. Remarkably, roughly 31% of breached healthcare entities suffered from TLS misconfigurations, in many cases despite having enabled supposedly “force TLS” settings that are intended to ensure compliance with HIPAA and similar regulations.Yet, as illustrated by Paubox and corroborated by the aftermath of real-world breaches, “forcing TLS” on these major platforms does little to guarantee anything if the recipient’s server is not properly configured or only supports outdated protocols. Instead, emails either travel over insecure channels (Google) or in the clear (Microsoft)—and this all happens invisibly.
Breached Healthcare Providers: Encryption at the Time of Incident
| Provider | Encryption Attempted | Actual Protocol Used | Notification Given | Records Exposed |
|---|---|---|---|---|
| Solara Medical Supplies | Yes (TLS forced) | None (plain text) | No | 114,000+ |
| [Typical Mid-Size Clinic]* | Yes | TLS 1.0 fallback | No | 10,000+ (est.) |
Stories like Solara Medical Supplies—forced to pay over $12 million in settlements after over 114,000 patient records were exposed through unencrypted email—illustrate the true cost of misplaced trust in silent, invisible security failures.
Regulatory and Compliance Consequences
For organizations subject to HIPAA in the US, GDPR in Europe, or similar frameworks worldwide, these silent failures create a double bind: they are out of compliance and they do not know it. HIPAA, for example, requires that Protected Health Information (PHI) be encrypted in transit. But if your provider’s encryption silently fails and does not alert you—or your logs do not capture the incident—then the organization risks not only a breach but a willful negligence violation.Federal guidelines, such as those set out by the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST), have explicitly recommended against the use of TLS 1.0 or 1.1 since as early as 2019. Many regulatory frameworks now mandate TLS 1.2 or higher for compliance, making these silent fallbacks or plain-text deliveries a source of both legal and reputational risk.
Why Are These Platforms Failing to Warn Users?
Both Microsoft and Google have substantial incentives to maximize email deliverability and minimize friction for their billions of users. This business imperative explains, but does not excuse, the silent fallback behaviors observed. Automatic downgrades and silent plaintext delivery ensure that emails “just work,” even when secure channels fail. Alerting users or rejecting messages, on the other hand, risks confusion, disruptions to workflow, and potentially higher support costs.However, the cost of convenience here is invisible risk—a ticking timebomb for both the individual sender and for entire organizations relying on these services for compliance and trust.
“Confidence Without Clarity Gets Organizations Breached”
Paubox’s summary is succinct and sobering: “Confidence without clarity is what gets organizations breached.” The impression of end-to-end encryption and seamless security is powerful, but without visible, verifiable indicators of encryption failure, organizations are left flying blind.How Are Organizations Responding?
Despite widespread use of “force TLS” settings in both Microsoft 365 and Google Workspace, the silent failure scenario is rarely caught before a breach occurs. Why? Because neither platform:- Issues a visible warning or error to the sender
- Logs failed encryption attempts in a way that is easily accessible or actionable by administrators
- Offers fine-grained policy enforcement to automatically block or quarantine unencrypted emails in real time
The False Sense of Security: A Widespread Problem
When critical sectors such as healthcare, legal, and finance assume their email is protected by default, they expose themselves to disastrous outcomes. A single email sent unencrypted—especially if it contains PHI, customer financial data, or confidential legal information—can trigger mandatory breach notifications, lawsuits, fines, and irreparable reputation damage.Worse, because the sender is never notified (and the organization may never know), breached entities can remain ignorant for weeks or months, compounding the regulatory fines and operational chaos once the breach comes to light.
Technical Deep Dive: Weak Links in TLS and Email Infrastructure
To appreciate the severity of these failures, it’s important to understand why forcing TLS, on its own, is not enough.How TLS Works in Email Transmission
Transport Layer Security (TLS) is the standard protocol for encrypting email in transit. When an email client or service—say, Microsoft 365 or Google Workspace—sends a message, it attempts to establish a secure TLS connection with the recipient’s mail server. If both ends support a modern version (TLS 1.2 or higher), and all certificates are valid, the message is encrypted in transit.But if the recipient’s server only supports outdated protocols, or is misconfigured, different things happen depending on the sender’s settings:
- If TLS is required but only old versions (TLS 1.0/1.1) are available, Google will proceed with the weak protocol (insecure encryption).
- If TLS is required but not available, Microsoft (by default) will send the message in cleartext (no encryption).
- Neither service tells the sender that their message was delivered insecurely.
Downgrade Attacks and Man-in-the-Middle Risks
The use of outdated TLS protocols is not a theoretical risk; they have well-documented vulnerabilities, including the potential for downgrade attacks. In a downgrade attack, a malicious actor can force a secured connection to fall back to an older, less secure protocol that is easier to break, eavesdrop, or intercept.By silently falling back to very old TLS versions—or to plaintext entirely—email services expose untold volumes of sensitive information to interception at various points in the transport path, from ISPs to internal corporate networks or malicious intermediaries on the Internet at large.
What Leading Security Experts and Agencies Recommend
Organizations looking to mitigate this risk should heed the following core guidelines—backed by experts and government agencies worldwide:- Enforce TLS 1.2 or higher (ideally TLS 1.3) for all email in transit.
- Do not allow fallback to deprecated protocols (TLS 1.0 or 1.1) under any circumstances.
- Configure mail gateways to reject messages if secure transmission is not possible, and to alert both the sender and security administrators immediately.
- Use end-to-end encryption protocols, such as S/MIME or PGP, where feasible for especially sensitive information.
- Regularly audit email transport security policies, server configurations, and compliance logs.
The Way Forward: Practical Steps for Enterprises and Practitioners
Immediate Actions
Any organization relying on Microsoft 365 or Google Workspace (and especially those in regulated verticals) should immediately:- Review and tighten mail flow policies: Ensure “force TLS” settings mandate only TLS 1.2 or higher and review exceptions.
- Conduct independent audits: Use external scanning tools (such as Qualys SSL Labs or Hardenize) to test outbound and inbound mail security.
- Train users and administrators: Educate staff on the limitations of cloud email security defaults and encourage reporting of suspicious or unexpected delivery behaviors.
Longer-Term Solutions
- Implement policy-based encryption gateways: Deploy third-party solutions that can enforce encryption at the organization boundary, block non-secure email, and provide real-time alerts.
- Demand transparency from vendors: Push Microsoft and Google to offer better notification and logging of encryption failures, and clear administrator controls to enforce compliance.
- Move toward true end-to-end encryption: For extremely sensitive data, use systems where only the sender and recipient can decrypt messages—removing reliance on infrastructure-level encryption.
Critical Analysis: Strengths, Weaknesses, and Risks
Both Microsoft 365 and Google Workspace are, at their core, engineering miracles—delivering vast amounts of email reliably to hundreds of millions of users. Their default policies, optimized for deliverability and user experience, have allowed businesses worldwide to communicate efficiently and securely under most conditions.However, as this research underscores, the design decisions made for convenience have immense hidden costs. By quietly failing open—delivering messages insecurely when encryption cannot be ensured—billions of sensitive communications are exposed to interception and regulation breaches without any warning.
The most troubling aspect is the lack of transparency: users and organizations simply do not know when their emails are at risk. This undermines not just data security, but also erodes user trust and jeopardizes regulatory standing.
Where Cloud Email Security Shines
- Seamless integration and usability: For most routine communications, security is adequate and frictionless.
- Automatic protocol negotiation: Encryption works in the background most of the time.
- Easy compliance for low-risk use cases: For organizations not subject to strict regulatory frameworks (e.g., retail, education), convenience outweighs risk.
Where It Fails
- Silent encryption failures: The absence of user notification is a critical flaw.
- Obsolete protocol support: Continuing to allow TLS 1.0/1.1 undermines years of industry effort to phase out insecure standards.
- Weak administrative controls: Even organizations with the best of intentions can be caught off-guard due to default settings and hidden behaviors.
Conclusion: Don’t Trust, Verify
For email security—especially in sectors handling sensitive or regulated information—good intentions and default vendor assurances are simply not enough. The Paubox research makes clear that both Microsoft 365 and Google Workspace can—and do—fail silently, exposing critical data without any warning.Organizations must take ownership: verifying their mail flows, demanding vendor transparency, and refusing to rely solely on defaults. As the headline-grabbing breaches prove again and again, it is invisible risks—not the ones we see coming—that pose the greatest threat in enterprise security.
With attackers exploiting every blind spot, and compliance regulators increasing scrutiny with each breach, it has never been more important to understand—and address—the silent failures lurking within our most trusted communication tools. Only with vigilance, transparency, and proactive policy enforcement can organizations ensure that their most sensitive data is protected, not just most of the time, but every time.
Source: TechRadar Your emails might be going out unencrypted because Google and Microsoft didn’t bother to tell you
