A new investigative report from HIPAA compliant email provider Paubox has exposed a hidden security failure in Microsoft 365 and Google Workspace, two of the most widely used email platforms. Despite claims of encryption and compliance, both platforms fail under real-world conditions that could expose sensitive information without the sender or receiver knowing.

Any organization relying on Microsoft 365 or Google Workspace for email encryption could be unknowingly exposing sensitive information.

The report, How Microsoft and Google Put PHI at Risk, details a series of controlled experiments in which messages sent from both platforms were delivered either using obsolete encryption protocols or unencrypted in cleartext. In all test cases, the sender was never notified of the failure—there was no bounce, no alert, and no visible log.

Marketing Technology News: From Martech Cost Center to Marketing Value Driver: How the Right Metrics can save Martech Adoption?

A test of real-world encryption

The Paubox research team simulated how email behaves when sent to outdated or noncompliant servers—a realistic scenario in healthcare, where digital infrastructure is often fragmented across clinics, vendors, and legacy systems.

• Google Workspace still transmits emails using obsolete encryption protocols like TLS 1.0 and TLS 1.1—versions explicitly prohibited by the NSA.
• Microsoft 365 silently delivers emails in cleartext when encryption cannot be negotiated, exposing sensitive data to potential interception with no warning to senders or recipients.
• In both cases, there was no bounce, no alert, and no audit trail. The only evidence was buried in the message headers.
• Outdated TLS configurations and certificate mismanagement are consistently listed among the top security risks, even in API environments.

Marketing Technology News: MarTech Interview with Kurt Donnell, CEO @ Freestar

Critically, these weren’t configuration mistakes.

Cleartext delivery and outdated encryption put data at risk

This isn’t just a healthcare problem. Any organization relying on Microsoft 365 or Google Workspace for email encryption could be unknowingly exposing sensitive information. These platforms do not consistently enforce strong encryption, and many IT teams are unaware of the gaps.

“Using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected, even though it really is not.” – NSA, Eliminating Obsolete TLS, 2021

These flaws violate the NSA’s guidance to eliminate TLS 1.0 and 1.1, and directly contradict RFC 8996, which states that outdated protocols “MUST NOT be used.”

With no audit trail, no bounce, and no alert, messages appear to be protected, even when they’re not.

When encryption fails, organizations are left vulnerable to regulatory violations, legal action, and reputational damage, even when they believe they’ve done everything right.

Next steps for IT and compliance teams

Paubox urges IT leaders to stop assuming encryption is working and start testing it for themselves. The report walks through the testing process in detail and includes annotated message header examples that show what encryption downgrade looks like in practice.