Sign Here to Bypass: From macOS Intune PRT Cookie Theft to Entra ID Persistence

No ratings

Presented at RomHack Conference 2025 by

This research was a joint effort by three people: Shang-De “John” Jiang, Kazma Ye, and Echo Lee. Modern Single Sign-On (SSO) should offer security and simplicity—but Microsoft’s Intune implementation on macOS fails to securely validate the caller’s identity, exposing Primary Refresh Token Cookie to theft by user-level attackers. This talk breaks down the full trust chain behind Intune’s macOS SSO flow—from BrowserCore to Apple’s AppSSOAgent—and shows how weak identity checks can be bypassed using a spoofed, signed Swift app. By impersonating trusted browsers, attackers can trigger SSO token flows and extract valid PRT cookies. Our findings expose subtle flaws in how trust is enforced across processes and code signatures. Another obstacle for attackers has been Microsoft’s efforts to make it more difficult to register new devices using stolen credentials for persistence. Our research introduces a trick: once an attacker acquires a token with an MFA claim on the device, they can still register new devices and generate new tokens without concern for the original stolen token’s expiration. We will demonstrate PRT Cookie extraction on macOS, showing how credential theft techniques have expanded from Windows to macOS environments and how attackers can use these methods to maintain long-term persistence.