diff --git a/modules/Emails/views/MassSaveAjax.php b/modules/Emails/views/MassSaveAjax.php
index 0bc9a8b4b7576d4159c9f974819ff1ecd5461abc..3d7d2a6e34a912f24d9cf4e7bc3601a3d6c147b8 100644
--- a/modules/Emails/views/MassSaveAjax.php
+++ b/modules/Emails/views/MassSaveAjax.php
@@ -221,6 +221,11 @@ class Emails_MassSaveAjax_View extends Vtiger_Footer_View {
 					$newFilePath = $upload_file_path . $current_id . "_" . $encryptFileName;
 
 					Vtiger_Utils::checkFileAccess($oldFilePath);
+
+					//restrict attachment only from storage directory
+					if (strpos($oldFilePath, "storage/") !== 0) {
+                                                throw new Exception("Attachment access denied");
+                                        }
 					copy($oldFilePath, $newFilePath);
 
 					$sql1 = "insert into vtiger_crmentity (crmid,smcreatorid,smownerid,setype,description,createdtime,modifiedtime) values(?, ?, ?, ?, ?, ?, ?)";