Hi @Rudranarayan P2,

You can restrict which attachments are sent to external customers by controlling visibility at the attachment level and then filtering them in the notification script, rather than relying on OOB behavior alone.

1. Mark attachments as “internal‑only”

There is no OOB “internal‑only” flag on attachments, but you can simulate it:

- Add a checkbox field on sys_attachment (e.g., u_internal_only) and set it for attachments that should not go to customers.

- Create a read ACL on sys_attachment so that external users (e.g., x_csm_external) cannot read records where u_internal_only = true. 

This hides the attachment from the customer in the UI and also makes it easier to filter later in notifications.

2. Filter attachments in the email notification

For the case‑update email that goes to customers, I would recommend customizing the notification’s script so it only includes attachments that are not marked as internal‑only:

(function runMailScript(/* GlideRecord */ current, /* TemplatePrinter */ template,
                       /* Optional EmailOutbound */ email, /* Optional GlideRecord */ email_action,
                       /* Optional GlideRecord */ event) {

    // Only attach files that are NOT marked as internal‑only
    var attach = new GlideRecord('sys_attachment');
    attach.addQuery('table_sys_id', current.sys_id);
    attach.addQuery('table_name', current.getTableName());
    attach.addQuery('u_internal_only', '!=', true);  // skip internal‑only
    attach.query();

    while (attach.next()) {
        email.addAttachment(attach);
    }

})(current, template, email, email_action, event);

This pattern:

- Leaves internal‑only attachments visible to agents.

- Prevents them from being included in customer‑facing emails.

Hope this helps and provides a solution for your requirement.