hi,
there is two possible scenarii :
- if shared mailbox has only "send on behalf" privilege, DLP will be able to identify real sender without doing anything special (there is a header dedicated to that in SMTP protocol (Sender))
- if shared mailbox has "send as" privilege, the one usually you dont have any clue of who really send the message cause SMTP does not track real sender, it will be really more complicated:
- if this happens always to same policy try to switch it at endpoint level if you can. like this you will have windows login used to send email
- if you have a full and up to date referential of workstation IP addresses, you can use it to identify who is real sender. you may add this parameter and this referential as source for your plugin which compute user identity
- you could always ask messaging team for investigation if it is a one time case
Regards