I have the dubious honour of having MS Advanced Threat Protection turned on for my mail server. 

If you don't know already this takes attachments an opens them in a sand box to see if they do anything bad.  This is a slow process so they came up with an annoying kludge where they deliver the email twice, once without the attachment and then later with the attachment.  If you use ms-exhange the first email is sucked back and replaced by the second. If you don't then you either get one or both depending on how your email is set up (the ATP system handles non-exchange clients really badly).

Why? who knows? but it is really annoying.

Anyway the process is annoyingly inconsistent:

-> Sometimes the first message comes with an ATP notification and no attachment - this I can catch in procmail trivially.

-> Sometimes the first message contains no ATP notification and a 0 byte length attachment.

-> There are other cases but these are relative infrequent

Is there a simple way in procmail that I can use to trap the second case (0 byte length attachment(s))? I simply don't want the first (useless) message and want to divert these to a holding pen.