ATP Platform shows multiple events for a single email with multiple malware detections.
Email Security.cloud correlation enabled
Behavior by design.
To properly correlate events to other events, ATP Platform has to translate events from Email Security.cloud in such a way that an event is generated for each piece of malware that is detected by the Anti-malware service of Email Security.cloud, even when multiple detections occur within a single email attachment. In contrast, the Email Track and Trace tool within the customer portal of Email Security.cloud is geared more towards identifying that a malware detection occurred and whether a mail message was blocked because of the malware or spam detection.
Use as is.