diff --git a/server/migrations/20221112162341-attachment-tracking.js b/server/migrations/20221112162341-attachment-tracking.js
new file mode 100644
index 000000000..0b38c4007
--- /dev/null
+++ b/server/migrations/20221112162341-attachment-tracking.js
@@ -0,0 +1,13 @@
+"use strict";
+
+module.exports = {
+  up: async (queryInterface, Sequelize) => {
+    await queryInterface.addColumn("attachments", "lastAccessedAt", {
+      type: Sequelize.DATE,
+      allowNull: true,
+    });
+  },
+  down: async (queryInterface) => {
+    await queryInterface.removeColumn("attachments", "lastAccessedAt");
+  },
+};
diff --git a/server/models/Attachment.ts b/server/models/Attachment.ts
index e742a3efb..1da319a8a 100644
--- a/server/models/Attachment.ts
+++ b/server/models/Attachment.ts
@@ -44,6 +44,9 @@ class Attachment extends IdModel {
   @Column
   acl: string;
 
+  @Column
+  lastAccessedAt: Date | null;
+
   // getters
 
   get name() {
diff --git a/server/routes/api/attachments.ts b/server/routes/api/attachments.ts
index b447279ed..c2c646a8d 100644
--- a/server/routes/api/attachments.ts
+++ b/server/routes/api/attachments.ts
@@ -159,11 +159,15 @@ const handleAttachmentsRedirect = async (ctx: ContextWithState) => {
     rejectOnEmpty: true,
   });
 
-  if (attachment.isPrivate) {
-    if (attachment.teamId !== user.teamId) {
-      throw AuthorizationError();
-    }
+  if (attachment.isPrivate && attachment.teamId !== user.teamId) {
+    throw AuthorizationError();
+  }
 
+  await attachment.update({
+    lastAccessedAt: new Date(),
+  });
+
+  if (attachment.isPrivate) {
     const accessUrl = await getSignedUrl(attachment.key);
     ctx.redirect(accessUrl);
   } else {