Attributes are defined in LDAP for a given user that changes their "send as" email address.
Custom Attributes do not populate.
Because the sender email is not the same as the value of the mail attribute for the user, the default LDAP lookups will not work out-of-the-box.
The Administration Guide for DLP specifies the following string as an example for an LDAP lookup string:
attr.CustomAttributeName = search_base:(search_filter=$variable$):ldapAttribute
For additional context, here are the ownership qualities for each section of that string:
|attr.CustomAttributeName||This is a DLP attribute|
|= search_base:||This is an LDAP value|
|(search_filter=||This is an LDAP value|
|$variable$||This is a DLP variable|
|):ldapAttribute||This is an LDAP value|
Furthermore, the Administration Guide states, “In cases where multiple plug-ins are chained together, the parameter might be a variable that is passed to the LDAP Lookup Plug-In by a previous plug-in.”
To implement an LDAP Lookup Plug-In
Name: LDAP Lookup Plug-in 0
Description: Description for the LDAP Plug-in.
The end result will be a new custom attribute, located on the right hand side of the incident snapshot, where the sender address == newTargetAddress.