While the suspicious account is isolated, all other endpoints are fortified, with incoming malicious traffic blocked. This effectively leaves the threat actor with no communication options.
Microsoft elaborated, “When an identity is contained, any supported Microsoft Defender for Endpoint onboarded device will block incoming traffic in specific protocols related to attacks (network logons, RPC, SMB, RDP) while enabling legitimate traffic. This action can significantly help to reduce the impact of an attack. When an identity is contained, security operations analysts have extra time to locate, identify, and remediate the threat to the compromised identity.”
