ATP Platform shows multiple events for a single email with multiple malware detections.
Behavior by design.
To properly correlate events to other events, ATP Platform has to translate events from Email Security.cloud in such a way that an event is generated for each piece of malware that is detected by the Anti-malware service of Email Security.cloud, even when multiple detections occur within a single email attachment. In contrast, the Email Track and Trace tool within the customer portal of Email Security.cloud is geared more towards identifying that a malware detection occurred and whether a mail message was blocked because of the malware or spam detection.
Email Security.cloud correlation enabled
Use as is.