Bypassing Entra ID Conditional Access via macOS PRT Cookie Theft

TLDR: Researchers at DEF CON 2025 demonstrated how to steal Primary Refresh Token (PRT) cookies from macOS devices to achieve persistent access to Microsoft 365 and Azure environments. By abusing the browser-based native messaging flow, attackers can bypass conditional access policies and even register new, rogue devices. This research highlights a critical gap in macOS security compared to Windows and provides a clear path for red teams to maintain access in hybrid environments.

The security of Single Sign-On (SSO) implementations often rests on the assumption that the underlying operating system protects the primary authentication material. On Windows, the Local Security Authority Subsystem Service (LSASS) and the Trusted Platform Module (TPM) are the gatekeepers for the PRT. When we move to macOS, the landscape shifts. The recent research presented at DEF CON 2025 by Shang-De 'John' Jiang, Kazma Ye, and Echo Lee exposes how the implementation of SSO on macOS creates a significant, exploitable attack surface that allows for PRT cookie theft and subsequent device forgery.

The Mechanics of the Theft

The core of the issue lies in how the Microsoft Company Portal app and the associated SSO extension handle native messaging requests from browsers like Chrome and Edge. In a standard flow, the browser sends a request to the SSO extension to facilitate authentication. The researchers discovered that this communication channel is not sufficiently hardened.

By manipulating the environment, an attacker can force the browser to initiate an SSO request and then intercept the resulting PRT cookie. The researchers identified three distinct techniques to achieve this:

1. Headless Browser-Based Native Messaging Abuse: This method involves running a browser in a headless state to interact with the native messaging host. It requires the victim to be logged into a desktop session, but it effectively automates the token request process.
2. Bypassing Parent Process Checks: The SSO extension attempts to verify the caller by checking its parent process. The researchers found that this check is flawed. By using a crafted binary and manipulating the PATH environment variable, they could trick the extension into accepting a malicious process as a legitimate browser component.
3. Direct SSO Invocation: This is the most surgical approach. By invoking the Apple APIs directly, an attacker can bypass the browser entirely, interacting with the SSO extension to request and receive the PRT cookie.

Technical Execution and Bypassing Protections

The most interesting technical finding is the bypass of the parent process check. The SSO extension uses runningApplicationWithProcessIdentifier to identify the caller. The researchers discovered that this function only validates the process ID and the bundle ID. Because the bundle ID is just a string in the Info.plist file, it is trivial to spoof.

To reproduce this, you need to create a binary that mimics the expected structure of a browser process. You then launch this binary and use lldb or a similar debugger to attach to the process, allowing you to manipulate the environment variables. Specifically, setting the PATH to a directory containing your malicious binary allows you to redirect the codesign check performed by the SSO extension.

# Example of redirecting the codesign check
export PATH=/tmp:$PATH
./malicious_binary

Once the PRT cookie is in hand, the game changes. The cookie contains the user identity and, crucially, device claims. If the original device was compliant, the stolen cookie carries those claims, allowing the attacker to bypass Conditional Access policies that require a compliant device.

Persistence via Device Forgery

Stealing the cookie is only the first step. The researchers demonstrated that an attacker can use this access to register a new, rogue device in Entra ID. By manipulating the authentication information, they can register a device that appears legitimate to the organization's security policies.

The researchers noted that while Microsoft has patched the specific technique for stealing the PRT cookie on macOS, the underlying logic flaw—the reliance on easily spoofed identifiers like bundle IDs—remains a concern. Furthermore, they highlighted that other vendors implementing similar SSO extensions on macOS are likely susceptible to the same class of vulnerabilities.

Defensive Recommendations

For defenders, the primary takeaway is that device-based trust is not a silver bullet. Relying solely on device compliance checks in Entra ID is insufficient if the device identity itself can be forged.

1. Monitor Process Execution: Implement strict monitoring for any process attempting to interact with the Microsoft SSO extension. Any binary not signed by Microsoft or Apple that attempts to invoke these APIs should trigger an immediate alert.
2. Review Entra ID Policies: Move away from weak conditional access policies that rely solely on IP or location. Instead, enforce Multi-Factor Authentication for all device registration and security information updates.
3. Update Software: Ensure all macOS devices are running the latest version of the Microsoft Company Portal app. The researchers have released their proof-of-concept tool to help security teams test their own environments against these techniques.

The research serves as a stark reminder that as we move toward cloud-native identity, the security of the endpoint remains the bedrock of the entire stack. If the endpoint can be compromised, the identity is compromised. Pentesters should prioritize testing these SSO flows in their next engagement, as they often represent a path of least resistance into high-value cloud environments.