Multiple downloads of a malicious file are only recorded as a single event on the Advanced Threat Protection platform