You send large attachments in Outlook securely by using OneDrive or SharePoint sharing links with expiration dates and passwords, by applying Microsoft Purview Message Encryption to encrypt the message and its files end to end, or by routing the file through a vetted third-party secure file transfer portal such as Tresorit, Citrix ShareFile, or Kiteworks. Each path solves a different problem, and each one carries a different legal risk if you choose wrong.
Outlook itself blocks most files over about 20 MB, and Microsoft 365 tenants cap messages at 150 MB for desktop Outlook and 112 MB on the web, so the size ceiling is not the real danger. The real danger is that a standard attachment travels over TLS in transit only and then sits unprotected inside the recipient’s mailbox, where it can be forwarded, screenshot, or exposed by a breach.
Federal law does not ban email attachments, but several rules punish the sender when a file is lost. The HIPAA Security Rule at 45 CFR ยง164.312 requires access controls and transmission security for electronic protected health information. The FTC Safeguards Rule at 16 CFR Part 314 demands encryption of customer data in transit and at rest for financial institutions. The ABA Formal Opinion 477R tells lawyers to use reasonable safeguards, including encryption, when sending confidential client information. When your 40 MB zip bounces and you grab the first workaround you see, you risk violating all three.
A 2024 IBM Cost of a Data Breach Report pegs the average U.S. breach at $9.36 million, and phishing and stolen credentials sit among the top entry points. Sending a file the wrong way is one of the cheapest mistakes to make and one of the most expensive to clean up.
Here is what you will learn in this guide.
- ๐ How to pick the right secure method for the file, the recipient, and the regulator watching you
- ๐ Step-by-step Outlook workflows for OneDrive links, Purview encryption, and third-party portals
- โ๏ธ The federal statutes, state laws, and court rulings that decide whether your send was reasonable
- ๐งญ Named scenarios for lawyers, HR managers, and CFOs that mirror what you actually do at work
- ๐ซ The mistakes that quietly turn a routine email into a breach notice and a bar complaint
Why Outlook Attachments Fail the Security Test
Outlook is a mail client, not a vault. When you drop a 30 MB PDF into a new message, the client first checks the send/receive size limit set by your mail server, which Microsoft caps at 150 MB for Exchange Online tenants and 20 MB for many consumer Outlook.com accounts. If the file is too big, the message bounces with a non-delivery report, and users start looking for shortcuts that break the rules.
Even when the file fits, the attachment rides the same encryption as the email body. That means opportunistic TLS between mail servers, which is strong in transit but leaves a plain copy in the recipient’s mailbox. Anyone who later compromises that mailbox reads the attachment in the clear.
There is also a chain-of-custody problem. Once the attachment lands, the sender loses all control. The recipient can forward it, print it, drop it on a shared drive, or store it in a personal cloud account. If the file held PHI, non-public personal information, or attorney-client material, the sender now has a potential HIPAA breach under 45 CFR ยง164.402, a Safeguards Rule incident, or a waived privilege.
The Harleysville Insurance v. Holding Funeral Home ruling is the cautionary tale lawyers cite. An insurer uploaded claim files to a file-sharing service with no password. The court found the privilege waived because the sender failed to take reasonable precautions. The lesson carries over directly to Outlook attachments sent without encryption or access controls.
The regulatory piece layers on top. The HHS guidance on transmission security treats encryption as an addressable specification, which means you must implement it or document why an equivalent control works. “We didn’t get around to it” is not a defense. Neither is “the recipient asked for it that way.”
Finally, users confuse password-protecting a PDF with encrypting a message. A password on a PDF is a weak lock that the recipient must open with a password you texted them, if you remembered to text it. It does not protect the email body, the subject line, or any metadata, and it often gets stripped by recipients who save the file locally.
Method 1 โ OneDrive and SharePoint Sharing Links
The cleanest path for most Microsoft 365 users is to stop attaching the file and start sharing a link instead. Outlook detects that the file lives in OneDrive or SharePoint and offers to attach a cloud link rather than a copy. The file stays inside your tenant, and the recipient clicks through to view or download it.
The security value is real. You keep one authoritative copy, you can set an expiration date and a password on the link, you can restrict the audience to specific people, and you can revoke access at any time. If you fire the vendor on Tuesday, the link dies on Tuesday.
How the Workflow Runs in Outlook
Upload the file to OneDrive or to a SharePoint document library inside your tenant. In a new Outlook message, choose Attach File, pick the file from Recent or Browse Web Locations, and select Share link instead of Attach as copy. Outlook inserts a link chip. Click the chip, choose Link settings, pick Specific people, add the recipient’s email, set Can view rather than Can edit, add a password, and set an expiration date that matches the business need.
The default People in your organization setting is dangerous for external recipients because it produces an access-denied error that tempts senders to loosen the link to Anyone with the link. That last setting is the one regulators hate. It lets the link travel through forwarding chains with no authentication.
Tenant admins can force expiration and block anonymous links from the SharePoint admin center. Senders who rely on defaults still get protection, and auditors see a consistent policy.
Where This Method Wins and Where It Fails
OneDrive links win on size, control, and auditability. The OneDrive per-file cap now sits at 250 GB, which is far beyond any email server limit, and every click generates a log in the Microsoft 365 audit trail. HIPAA covered entities can satisfy the transmission security rule, and lawyers meet the ABA 477R reasonableness standard when they add password and expiration.
The method fails when the recipient’s organization blocks Microsoft cloud links, when the recipient is a court e-filing system that only accepts direct attachments, or when the sender forgets to switch from Anyone with the link to Specific people. It also fails for regulated data that cannot leave a specific geography, because the file follows your tenant’s region, not the recipient’s.
Named Example โ Maria, the Estate Attorney
Maria runs a solo probate practice in Austin. She needs to send a 48 MB scanned will, a trust instrument, and three account statements to opposing counsel in a fee dispute. She uploads the packet to a Client Matter folder in OneDrive, shares a Specific people link with opposing counsel’s email, sets a 14-day expiration, and adds a password that she calls in on a recorded line. If the link leaks, the password stops the read. If opposing counsel’s mailbox is breached later, she revokes access from the OneDrive Manage access panel, and the file stops opening.
Method 2 โ Microsoft Purview Message Encryption
When the file must travel as an actual email attachment because the recipient cannot click a cloud link, Microsoft Purview Message Encryption is the right tool. Purview encrypts the message body and the supported attachments so that only the authenticated recipient can read them, even if the message sits in a compromised mailbox for years.
Purview is not the same as TLS. TLS protects the pipe between two mail servers. Purview protects the envelope itself. The encryption follows the message from the sender’s Outlook client through the Exchange Online transport pipeline out to the recipient, whether that recipient is on Microsoft 365, Gmail, Yahoo, or a home ISP account.
How Encryption Looks to the Sender and the Recipient
Inside Outlook on Windows, Mac, or the web, the sender composes the message, attaches the file, and clicks Encrypt on the ribbon. Options include Encrypt-Only, Do Not Forward, Confidential, and Highly Confidential. Encrypt-Only is the right default for most outside sharing because it keeps the recipient’s normal workflow intact. Do Not Forward disables forward, print, and copy. Administrators can also auto-apply encryption with mail flow rules keyed to keywords such as confidential, PHI, or a social security number pattern.
A recipient inside Microsoft 365 sees the message decrypted in place. An external recipient gets a portal link, authenticates with a one-time passcode or a federated identity, and reads the message in a browser. Supported attachments, including Word, Excel, PowerPoint, and PDF files, inherit the same protection. Files outside the supported list remain unencrypted at the attachment level, which is a trap many senders miss.
Regulatory Fit
Purview checks the box for the HIPAA transmission security specification when paired with reasonable identity verification on the recipient side. It also fits GLBA and the FTC Safeguards Rule encryption requirement, and it satisfies the NIST SP 800-171 3.13.8 transmission confidentiality control that federal contractors must meet for controlled unclassified information.
State laws reward it. The New York SHIELD Act and the Massachusetts 201 CMR 17.00 data security regulation both cite encryption in transit as a safe-harbor-style control. A breach of an encrypted file often avoids notification duties, while a breach of a plain attachment almost always triggers them.
Named Example โ James, the Hospital Billing Manager
James oversees billing at a 200-bed community hospital. A commercial payer auditor asks for 60 claim files totaling 90 MB. The payer’s portal is down, so the auditor requests email delivery. James composes one message in Outlook, attaches the claim PDFs, selects Encrypt > Do Not Forward, and sends. The auditor authenticates through the Microsoft-hosted portal with a one-time code. The files cannot be forwarded to the auditor’s personal Gmail. If the auditor’s laptop is stolen next week, the attachments stay locked.
Method 3 โ Vetted Third-Party Secure File Transfer
Sometimes the recipient lives in a regulated environment that will not accept Microsoft cloud links, or the file exceeds the 150 MB Exchange Online cap, or the sender needs features Microsoft does not offer, such as end-to-end zero-knowledge encryption, data-sovereignty controls, or detailed compliance reporting. That is where a vetted third-party secure file transfer platform earns its keep.
Examples that organizations commonly pair with Outlook include Tresorit, Citrix ShareFile, Kiteworks, Virtru, and Box with KeySafe. Each offers an Outlook add-in that replaces the standard attachment with a secure link or an encrypted attachment that only opens after the recipient authenticates.
What to Check Before You Trust a Vendor
Due diligence is not optional. Ask for the vendor’s SOC 2 Type II report, a current HIPAA Business Associate Agreement if you handle PHI, FedRAMP authorization if you sell to the federal government, and proof of ISO 27001 certification for international work. A vendor that cannot produce these documents is not ready for your regulated data.
Also confirm data residency. A U.S. law firm handling EU client matters needs to know whether the files rest in the EU, which is a GDPR Article 44 transfer question. Confirm key management. Customer-managed keys beat vendor-managed keys for the highest-risk files. Confirm breach notification timelines that match your regulator’s expectations.
How the Outlook Integration Works
After the add-in is installed, the user composes a normal Outlook message and clicks a ribbon button such as Send Secure or Attach from ShareFile. The add-in uploads the file to the vendor’s cloud, replaces the attachment with a branded link, and lets the sender set expiration, password, watermark, and download limits. Some add-ins rewrite the entire message to travel inside the vendor’s encrypted channel.
The recipient clicks the link, authenticates by one-time passcode, single sign-on, or a vendor account, and downloads the file. The sender sees who opened it and when, which creates the audit trail a regulator or a court will want to see.
Named Example โ Priya, the CFO on an M&A Deal
Priya is CFO at a mid-market manufacturer negotiating a sale. Her banker asks for a 2.4 GB data room dump that includes customer lists, five years of financials, and HR records. Outlook cannot carry that payload at any setting, and the banker’s firm blocks Microsoft cloud links by policy. Priya uploads the files to her ShareFile vault, sends a secure Outlook message with a link that expires in 72 hours, requires two-factor authentication, and watermarks each PDF with the viewer’s email. When the deal pauses, she revokes the link from the ShareFile console, and the banker sees Access denied the next time the laptop reopens.
Three Scenarios Lawyers and Compliance Teams See Every Week
Scenario Table 1 โ Sending Discovery to Opposing Counsel
| Sender Action | Legal Consequence |
|---|---|
| Attaches 80 MB of PDFs with no encryption | Potential privilege waiver under Harleysville v. Holding and exposure of work product |
| Uses OneDrive Anyone with the link | Loss of chain of custody, possible sanctions under FRCP 26(f) cooperation duties |
| Uses OneDrive Specific people with password and expiration | Meets ABA 477R reasonableness and preserves privilege |
| Uses Purview Do Not Forward with one-time passcode | Maximum control, strong audit trail, safe for trade secrets |
Scenario Table 2 โ Transmitting Patient Records to an External Specialist
| Sender Action | HIPAA Outcome |
|---|---|
| Plain Outlook attachment over TLS only | Addressable encryption failure, possible 45 CFR ยง164.312(e) violation |
| Password-protected ZIP emailed with the password | Weak control, password often shared over the same channel, still risky |
| Purview encrypted message with Encrypt-Only | Satisfies transmission security, supports breach safe-harbor analysis |
| Vendor portal with a signed Business Associate Agreement | Full compliance, full audit trail, full BAA coverage |
Scenario Table 3 โ Sharing a Data Room with an M&A Buyer
| Sender Choice | Deal Risk |
|---|---|
| Email attachments in batches | Size errors, version confusion, leaked drafts |
| OneDrive link without expiration | Buyer retains access after deal collapse, trade secret exposure under DTSA |
| OneDrive link with expiration and password | Controlled access, revocable, audit-ready |
| Third-party data room with watermarks and 2FA | Highest control, best fit for cross-border deals subject to GDPR Article 44 |
Mistakes to Avoid
- Using Anyone with the link sharing on OneDrive because it skips authentication and lets the file travel through forwarding chains, which regulators treat as an unreasonable control.
- Emailing the password in the same thread as the link, which defeats the purpose and is a finding auditors flag under the FTC Safeguards Rule.
- Relying on a PDF password alone, because the email body and metadata stay unprotected and most PDF passwords fall to offline cracking.
- Forwarding a Purview-encrypted message and stripping the protection by exporting to PDF, which destroys the audit chain.
- Trusting a free file transfer site with regulated data, since no Business Associate Agreement exists and the service may store files in an unknown jurisdiction.
- Sending controlled unclassified information to foreign recipients without checking ITAR or EAR export controls, which can trigger criminal penalties.
- Ignoring ABA Formal Opinion 477R, which tells lawyers to use encryption when the sensitivity of the communication requires it.
- Failing to revoke access when a matter ends, so the recipient still holds live links to confidential client files.
- Sending CCPA-regulated personal information without encryption, which can raise the California statutory damages floor in a breach suit.
- Skipping the audit log review after sending, because you never learn who actually opened the file.
Do’s and Don’ts
- Do upload files to OneDrive or SharePoint before attaching, so the file stays in your tenant under audit control.
- Do set an expiration date that matches the business need, because indefinite access is the top finding in internal audits.
- Do encrypt the message itself with Purview when the data is regulated, since attachment-only protection leaves the email body exposed.
- Do verify the recipient’s email address twice, because one typo sends protected data to a stranger.
Do train every user on the ribbon workflow, because the best tool fails when staff never touch it.
Don’t use personal email or consumer file transfer for work files, since no BAA and no audit log exist.
- Don’t rely on mail server TLS alone, because the file lands unprotected in the recipient’s mailbox.
- Don’t share passwords in the same channel as the link, since a single mailbox breach gives up both halves.
- Don’t leave sharing defaults on Anyone with the link, because regulators treat it as unauthenticated disclosure.
- Don’t forget to revoke access when the project ends, since stale links are breach vectors waiting to happen.
Pros and Cons of Each Method
| Method | Pros | Cons |
|---|---|---|
| OneDrive / SharePoint link | One copy, revocable, audit trail, up to 250 GB per file | Needs M365, some recipients block cloud links |
| Purview Message Encryption | True envelope encryption, works to any mailbox, strong regulator fit | External recipients must authenticate, unsupported files stay unencrypted |
| Third-party secure transfer | Largest files, richest controls, BAA and SOC 2 options | Cost, training, vendor risk to manage |
State Law Nuances That Change Your Choice
Federal rules set the floor, but state law often sets the ceiling. The California Consumer Privacy Act as amended by the CPRA gives consumers a private right of action for breaches caused by failure to maintain reasonable security. Unencrypted email attachments carrying personal information are almost always unreasonable under that standard, and statutory damages run up to $750 per consumer per incident.
The New York SHIELD Act requires reasonable administrative, technical, and physical safeguards, and it treats encrypted data as exempt from notification duties when the key is not also compromised. That makes Purview encryption a breach-avoidance tool in New York, not just a compliance checkbox.
Massachusetts goes further under 201 CMR 17.00, which affirmatively requires encryption of personal information transmitted across public networks. A Massachusetts employer that emails a 10 MB payroll file in the clear violates the regulation even without a breach.
Texas and Illinois enforce strict biometric and consumer privacy rules, including the Illinois Biometric Information Privacy Act, which carries per-violation statutory damages that have produced nine-figure settlements. Biometric templates sent as attachments without encryption sit at the worst end of that exposure.
Financial services sit under overlapping state rules, including the New York DFS Cybersecurity Regulation 23 NYCRR 500, which mandates encryption of non-public information in transit unless a CISO-approved compensating control is documented. “We used Outlook” is never the compensating control DFS examiners accept.
Processes, Forms, and Admin Controls You Should Know
The Microsoft 365 admin center is where most of the real security lives. Tenant admins control the maximum send size up to 150 MB, default link type, whether anonymous links are allowed, password requirements on links, and default expiration windows. Every one of those defaults sets the floor that your users can loosen or tighten.
Inside Exchange Online, mail flow rules drive automatic encryption. A rule that reads If the message contains the word confidential or matches the SSN pattern, apply Office 365 Message Encryption with Encrypt-Only catches careless users without asking them to remember a ribbon click. The define-mail-flow-rules guide walks through the exact steps.
Labels matter too. Microsoft Purview sensitivity labels let users tag a message as Confidential or Highly Confidential and apply encryption, watermarking, and forwarding restrictions automatically. Labels travel with the file when it is downloaded, which extends protection beyond the mail channel.
For court-bound material, check the federal e-filing system CM/ECF requirements and any local rules. Many courts reject encrypted attachments, so a lawyer who encrypts everything by reflex can miss filing deadlines.
Key Entities to Know
The Department of Health and Human Services Office for Civil Rights enforces HIPAA and publishes guidance on reasonable transmission security. The Federal Trade Commission enforces the Safeguards Rule and GLBA privacy obligations. The Securities and Exchange Commission enforces the Regulation S-P Safeguards Rule for broker-dealers and investment advisers.
The American Bar Association Standing Committee on Ethics and Professional Responsibility issues the formal opinions that define reasonable lawyer conduct. The National Institute of Standards and Technology publishes SP 800-171 and the Cybersecurity Framework that most regulators cite. Microsoft sits on top of all of this as the platform vendor, and its Service Trust Portal is where you download the compliance attestations auditors will ask for.
Court Rulings Worth Reading
Harleysville Insurance v. Holding Funeral Home remains the central cautionary case on unsecured file sharing and privilege waiver. The court found that uploading claim files to a sharing service without a password was not a reasonable step to preserve privilege, and the privilege was lost.
Harkabi v. SanDisk Corp. reinforces that spoliation sanctions can follow when electronic information is mishandled, even without bad faith, which elevates the stakes on every file transfer.
FTC v. Wyndham Worldwide confirmed the FTC’s authority to police unreasonable data security under Section 5 of the FTC Act, including failures to encrypt sensitive customer data in transit.
FAQs
Is it safe to email attachments over 20 MB through Outlook without encryption?
No. Even when the file fits under the 150 MB Microsoft 365 cap, the attachment rides plain inside the recipient’s mailbox, fails most regulator tests, and exposes the sender to breach notification duties.
Does Microsoft 365 encrypt my attachments automatically?
No. Microsoft 365 protects messages with TLS between mail servers by default, but the attachment sits unencrypted at rest in the recipient’s mailbox unless you apply Purview Message Encryption or a sensitivity label.
Can I use OneDrive sharing links to meet HIPAA requirements?
Yes. OneDrive and SharePoint sharing links with password, expiration, and Specific people audience meet the HIPAA transmission security standard when paired with a Microsoft Business Associate Agreement.
Do I need a Business Associate Agreement with Microsoft to share PHI through Outlook?
Yes. Any covered entity or business associate that uses Microsoft 365 for PHI must have the standard Microsoft BAA in place before sending protected health information through Outlook or OneDrive.
Will Purview Message Encryption work if my recipient uses Gmail?
Yes. External recipients receive a portal link, authenticate through a one-time passcode or federated identity, and read the message in a browser without needing a Microsoft 365 account.
Is password-protecting a PDF enough for confidential legal documents?
No. A PDF password is a weak offline control, it leaves the email body and metadata exposed, and it does not meet the ABA 477R reasonableness standard for most sensitive matters.
Can an Outlook recipient forward an encrypted message to someone else?
No. Not when you select Do Not Forward, which disables forward, print, and copy, and the restriction follows the message even after the recipient logs in.
Does setting a OneDrive link to expire revoke past downloads?
No. Expiration stops future access, but a file already downloaded to the recipient’s device remains on that device, which is why sensitivity labels and rights management add stronger controls.
Are third-party secure file transfer tools worth the cost for small firms?
Yes. For firms that regularly exchange regulated data, the audit logs, BAAs, and granular controls from vendors like Tresorit, ShareFile, or Kiteworks justify the subscription against a single breach investigation cost.
Can I send ITAR-controlled technical data to a foreign national through Outlook?
No. ITAR-controlled data requires an export license or license exception, strong encryption, and recipient screening, and ordinary Outlook attachments do not meet those controls under the State Department’s rules.
Does a court accept encrypted attachments for e-filing?
No. Most federal and state e-filing systems reject encrypted or password-protected PDFs, so senders must strip encryption before filing while preserving a protected copy for the client file.
Is it enough to just trust my IT department’s defaults?
No. Defaults change, tenants drift, and users override settings every day, which is why every sender of regulated data should confirm the share type, expiration, and encryption on each high-risk message.