Table of Contents
Preserve Copies of Cloudy Attachments for eDiscovery
A “cloudy attachment” is the term used when people send a link to a file stored in SharePoint Online or OneDrive for Business instead of attaching individual copies of the file with messages generated by Outlook, Teams, or Viva Engage. The idea is that recipients can work with the original content stored in SharePoint or OneDrive rather than making changes to their personal copies and then attempting to reconcile updates. Cloudy attachments can also result in the output generated through interactions with Microsoft 365 Copilot.
Exchange Online users have had the ability to send cloudy attachments for many years. However, it takes time for people to change the habits of a working lifetime, and it’s only relatively recently that I see more cloudy attachments in use, including when sharing documents across tenants. The passing of time and better internet access allows us to catch up with Microsoft’s vision. Attachments sent through Teams has always been based on sharing, so the percentage of cloudy attachments found in Teams is much higher than email.
The eDiscovery Problem Caused by Cloudy Attachments
Efficient as cloudy attachments are, they pose a problem for eDiscovery searches. The results for Purview eDiscovery standard cases and content searches include links for cloudy attachment sent in messages. However, they do not include the actual content of the linked file. eDiscovery investigators can follow the link to find the content of the attached file, but this can be an onerous task when search results include many messages with attachment links.
Microsoft’s Solution: Auto-label Copies of Cloudy Attachments
Microsoft solution depends on two factors. First, a method is needed to mark cloudy attachments so that they can be easily found by searches. Second, the marked files must be integrated into search results. This is what Microsoft does through a combination of auto-label retention policies and Purview eDiscovery (premium). You’ll need Office 365 E5 licenses to take advantage of their solution.
The first step is to deploy an auto-labeling policy using the content condition “apply labels to cloud attachments and links shared in Exchange, Teams, Viva Engage and Copilot” (Figure 1). The auto-label policy won’t be effective immediately because it must be deployed to all the sites covered with the policy. This can take up to a week, depending on the number of sites to cover.
The auto-label policy forces SharePoint Online to capture copies of files shared through messaging. When active, the a background job monitors for cloudy attachments that come within the scope of the policy (sent from the SharePoint Online sites and OneDrive for Business accounts specified in the policy). When the policy detects an in-policy cloudy attachment, it creates a copy of the file and stores the file in the SharedVersions folder of the Preservation Hold library for the host site (Figure 2).
Because auto-labeling happens using a background timer job, it can take up to an hour before the copy of a cloudy attachment is captured and labeled.
If someone modifies a file after sharing, a new version is captured in the Preservation Hold library. This step ensures that it’s possible for eDiscovery to find an attachment in the exact state at the time it was shared. Given that document content often changes as people work on it, knowing what a recipient sees in an attachment is a critical part of the eDiscovery process.
Copies of cloudy attachments labelled by auto-label policies remain in the Preservation Hold library until their retention period lapses. At that time, the normal method of processing the retention action occurs. Depending on how many cloudy attachments an organization generates, the preservation of captured copies might have a significant impact on the consumption of SharePoint Online storage.
To ensure that the current version of the original shared file is preserved, any files moved or deleted in the locations within the scope of the auto-label policy are automatically copied to the Preservation Hold library. These are temporary copies kept for one day to allow auto-label processing to happen and then removed. This form of temporary retention is unique to files within the scope of auto-labeling policies for cloudy attachments and is a simple safeguard to preserve all the copies of these files that might be needed for eDiscovery.
Unlike other auto-labeling policies which process data at rest to apply retention labels to content that already exists, auto-labeling of cloudy attachments is not retrospective. The only attachments that are captured and retained are those sent once the policy is in force.
Retention Labels Stamped on Captured Copies of Cloudy Attachments
The auto-label policy stamps the captured copies of cloudy attachments with the retention label defined in the policy. Because they have no access to the Preservation Hold library, users who send the messages with the cloudy attachments are unaware that the captured copies have retention labels.
To avoid problems with attachments that are shared multiple times, Microsoft recommends that the retention label chosen for the auto-label policy starts its retention period from the time when the policy applies the label to the copy of the shared attachment. The retention label applied by the policy does not have to be published to users or locations. In fact, it’s probably a good idea to create a retention label specially created for use with cloudy attachment auto-labeling policies.
Discovering Information About Captured Cloudy Attachments
As you can see, the captured copies have obfuscated file names. To discover more about a file, use the Version history option. As you can see in Figure 3, the name of the document and its original location are clearly visible, as is the date when the policy captured the copy.
More information about a captured attachment is available by checking its compliance details. In Figure 4 we can see details of the retention label assigned to the file. If the auto-label policy works, the label should be the one defined in the policy.
The existence of captured attachments means that it now becomes possible to retrieve copies of the attachments during eDiscovery operations. A preview feature in the workflow for Purview eDiscovery premium cases leverage this capability to collect copies cloudy attachments in the state they were shared. Investigators can review content either at the time when a file was shared or its current state.
Good for eDiscovery People
Obviously this is a feature that is of interest to those working with eDiscovery cases, specifically with access to Purview eDiscovery (premium). For all that, it’s an interesting example of how a change made in applications (cloudy attachments) creates issues down the line for other technology. More information about the retention of cloud attachments and how auto-label policies work is available in Microsoft documentation.
Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.