By Anna Albraccio, Forensics Analyst
The use of cloud-based platforms like Microsoft 365 and Google Workspace has changed the way files are shared, allowing for real-time collaboration and eliminating traditional size limitations. Despite the added benefits, they have created obstacles within eDiscovery. When users replace embedded attachments with hyperlinks, it becomes challenging to access, collect, and preserve the files. Legal teams are also finding it difficult to define these files as attachments in the traditional sense, due to their dynamic nature.
Background
Hyperlinked attachments also commonly called “Modern attachments” are files and folders that are not physically attached to an email or another form of electronic communication (i.e., text message, chat). They direct users to the files stored within a cloud-based platform; these links are only a reference to a file. Those who have access to the hyperlink can view and modify the file in real-time, reducing the redundancy of sharing multiple files. These dynamic links have changed the way that files are shared – for example, they are no longer static files, associated with an email.
Prior to the use of hyperlinks, email attachments were static files embedded within the email. When collected, the email and its attachment were captured as a “family unit” preserving their relationship and metadata. A “family unit” is a group of associated files where the primary file, i.e., an email, is the “parent” and the attachments are the “children.” It is important to ensure these relationships are preserved during the collection and production processes. At the time the email was sent, the metadata for the file would likely remain the same making it easier to determine what version of the file was collected. These static files are also not dependent on cloud-based platforms. Therefore, there are no limiting factors such as link expirations and permission settings, minimizing the risk of missing or losing inaccessible data.
Hyperlinked attachments are impacting the way files are identified, collected, and produced. The traditional forensic tools used to collect and preserve this type of data are becoming limited. With each new update in the cloud platforms, it becomes difficult to create consistent workflows. The inability to produce a hyperlinked file in compliance with electronically stored information (ESI) protocols can negatively impact legal proceedings. These protocols are agreed-upon guidelines outlining the procedures for handling electronically stored information; how it is identified, preserved, collected, reviewed, and produced. For this reason, new solutions are being developed to address these potential challenges.
Forensic Collections and the Challenges
Hyperlinked files typically point to versioned files within a cloud platform rather than the static original. Each time it is accessed or modified a new version is created, this raises the issue of determining which version was originally shared via email. It is especially challenging when the scope of collection is to obtain the version of the file that was sent. Along with the issue of version drift, these hyperlinks may expire or access to them was revoked, preventing any form of collection. While these security features may be beneficial within organizations, they have complicated the traditional workflow for preserving files.
As cloud-based platforms are evolving, so are the forensic tools used to collect and preserve their hyperlinks. Forensic tools can now extract email, hyperlinks, and their metadata from Gmail and Microsoft 365; however, using these tools may be a two-step process. The first step is to collect the email with the hyperlink, and the second is to collect the files within the cloud platform. The data collected is used to recreate the family unit like the traditional email attachments. It should be noted that this workflow is lengthy as separate collections must be conducted. These collections require different permissions or authenticators. To support this, cloud platforms like Microsoft 365 and Google Workspace have their own internal tools to export data for legal matters. Organizations can obtain various license levels to effectively govern their data in a forensically sound manner.
Microsoft 365
As of July 23, 2025, Microsoft 365’s two most common types of licensing for eDiscovery are E3 and E5. Both licenses include tools like Word, Excel, and SharePoint. While E3 only supports basic legal holds and content searches, E5 includes eDiscovery (Premium), permitting more advanced features such as collecting hyperlinked attachments from SharePoint, preserving file versions, and reconstructing full Teams chat conversations. The E5 license can also manage complex datasets while exporting them in forensically sound formats. Organizations should consider upgrading their licensing as it can minimize the cost and time taken for more manual collection and production processes. See Table A
Google Workspace
Google Workspace’s licensing models also support eDiscovery needs. Google Vault is a platform companies can use to retain, search, and export user data including Gmail messages, Google Drive files, and Google Chats. This license can be assigned to all users in an organization or as an add-on license for selected individuals. There are limitations when collecting hyperlinked attachments; for instance, the files must exist within Google Drive. Additionally, only supported file types such as Google Docs, Google Meet recordings, and uploaded non-Google files can be exported. Furthermore, when Gmail has collected the actual file, the hyperlink that it is referencing will not be included. A separate export of the Drive where the files are based will need to be performed. See Table B
Security and permissions are ongoing obstacles forensic teams face when collecting hyperlinked attachments. Access to hyperlinks can be limited as senders can restrict who can view or edit the files, as well as setting expiration dates to disable the link entirely. To be collected, it is crucial to ensure the user account has authorized permission to access the files. Additionally, it is important to consider that multi-factor authentication or other security measures are implemented to restrict user access. These limiting factors can amplify the risk of losing the original version of a file or make it inaccessible. It is crucial to stay up to date on current security procedures prior to collections to ensure compliance and mitigate potential issues.
Notable Cases
There is yet to be a definite classification of hyperlinked files used within eDiscovery. The conflict stems from what is technically feasible and the legal obligation to comply with court orders. In Nichols v Noom Inc. 2021, the ESI protocol negotiated between the parties did not address nor define hyperlink files. Therefore, the emails collected from Gmail only contained links to the files, not the actual files themselves. When the plaintiff requested the reproduction of the hyperlinked files, it was denied. Magistrate Judge Parker ruled that hyperlink files were not considered traditional files, and as such, did not comply with the agreed-upon protocol. Additionally, the cost and time to recollect the files was deemed impractical. This case highlights the importance of defining hyperlinked files within the ESI protocol. The parties risk the exclusion of important files as they may not be considered relevant.
Alternatively, in the case In Re: Uber Technologies, Inc., Passenger Sexual Assault Litigation, the term ‘attachments’ was construed broadly to include hyperlinks. Judge Cisneros clarified that while the inclusion of hyperlinked files was permissible, collection was not required if technically infeasible. This highlighted the fact that requests related to hyperlinks must be specific and reasonable to avoid potential technical limitations.
Industry Applications
As the use of hyperlinks continues to grow, legal teams must strategically assess the technical capabilities and licensing requirements needed to preserve and collect them. ESI protocols should clearly outline the procedures for identifying, collecting, and producing these types of files, while addressing how the family units will be maintained. Even with an agreed-upon ESI protocol, courts may view the requests as disproportionate to the discovery obligation. It is important to note that hyperlinks may point to files with Personally Identifiable Information (PII), such as health records or client communications. Because of this, to collect hyperlinked attachments, companies must comply with privacy regulations like the General Data Protection Regulation (GDPR) in the European Union or the California Consumer Privacy Act (CCPA) in California. These laws require a valid legal basis and strict transparency of what exactly is being collected. Organizations must ensure that the data will be collected and transferred in a secure manner, allowing only authorized parties to manage it. Neglecting to follow these security measures can result in fines, regulatory penalties, or exclusion of evidence.
The Future
As cloud-based platforms continue to advance, so will the challenges of hyperlinked attachments. With each update, established workflows can become unreliable and inconsistent. It is essential for forensic and legal teams to stay up to date with platform changes and collection tools. They must learn to be flexible, modify collection strategies, and preemptively validate their tools to combat the constant changes.
The use of Artificial Intelligence (AI) has become one of the many technological advances in eDiscovery processes. These AI powered tools can identify relevant content within hyperlinked files faster than a human reviewer, making it easier to classify them. They also comply with privacy laws like GDPR and CCPA as they can detect PII within the files, categorize them based on sensitivity, and apply redactions where needed. Another added benefit is that it helps reconstruct family units. The tools can analyze and compare the various versions of a file to match the link to the version that was sent. With a large volume of data, there is a significant amount of time and money that is needed to thoroughly review each file for relevance, redactions, privilege, and confidentiality. Utilizing these tools reduces the time and cost that coincides with review. However, while AI offers more efficient processes, it cannot replace human expertise and judgement. AI lacks contextual understanding and the ability to interpret certain tones that humans convey in conversation. Legal teams apply legal reasoning to determine what is produced or withheld during discovery, making it important for them to have the final say.
As the use of cloud-based platforms within organizations increases, eDiscovery professionals must stay educated on how to approach hyperlinked attachments. These hyperlinked files will remain an ongoing challenge throughout the collection, preservation, and production processes due to their dynamic nature, hosting environments where they reside, and advance security limitations.
To manage these challenges, an effective strategy must be implemented, starting with the proper licensing, validated workflows, and clearly defined protocols directly addressing hyperlinked files. Preparation is key, as organizations risk missing or losing relevant data if the protocol does not address hyperlinked attachments properly. Additionally, data privacy laws have considerable influence on how the hyperlinked files are managed. Relevant files may contain PII requiring strict instruction on how they are accessed, collected, and transferred. Professionals in eDiscovery must work collaboratively to adapt to evolving workflows, tools, and regulations involving hyperlinked attachments. It is essential to remain proactive while ensuring the relevant data is managed and produced in a defensible manner.
Table A: Microsoft 365 – E3 v. E5 as of August, 2025
| Feature | Microsoft 365 E3 | Microsoft 365 E5 |
| eDiscovery Tool | eDiscovery (Standard) | eDiscovery (Premium) |
| Legal Hold Capability | ✓ Basic legal holds on mailboxes and SharePoint content | ✓ Advanced legal hold, including custodians and communications mapping |
| Search Functionality | ✓ Content Search | ✓ Content Search + Targeted and Scalable Search Capabilities |
| Hyperlinked Attachments Collection | ✗ Not supported | ✓ Collects cloud-based links (SharePoint/OneDrive links) |
| Teams Chat Reconstruction | ✗ Not supported | ✓ Reconstructs full, threaded Teams conversations |
| File Versioning | ✗ Not preserved | ✓ Preserves and collects file versions |
| Review and Analytics | ✗ Basic review only | ✓ Advanced review set management, analytics, and tagging |
| Export Options | ✓ Standard export formats | ✓ Forensically sound export with metadata preservation |
| Case Management | ✓ Limited | ✓ Robust tools for managing large or complex cases |
| Ideal Use Case | Basic legal/regulatory needs | Complex litigation, investigations, compliance reviews |
| Cost Efficiency | Lower licensing cost; higher manual workload | Higher license cost; reduces manual effort, time, and risk |