BHMailer App — Email Compromise Explained
The term "BHMailer" does not refer to a real Microsoft application. It appears in cases where an Outlook/Microsoft account has been compromised and the attacker adds an unauthorized third-party app to the victim's email via OAuth (app permissions).
This gives the attacker the ability to send emails "on behalf" of the user without needing their password. The result is automated spam or phishing emails, the creation of draft messages, and suspicious mailbox activity -- often followed by temporary account lockouts due to security triggers.
The phenomenon is commonly reported in real Microsoft support cases involving identity and email compromise.
How BHMailer Appears
Users typically notice one or more of the following signs:
Unauthorized Emails
Emails sent that the user did not write
Suspicious Drafts
New drafts addressed to unknown contacts
Unknown Apps
Unknown applications under App Permissions
Malicious Rules
Malicious inbox rules (redirect, auto-forward)
Login Attempts
Multiple suspicious login attempts
Security Info Changes
Security info replacement attempts (30-day replacement)
What the User Should Do
If you suspect your account has been compromised, take these steps immediately:
Check App Permissions
Remove any applications that you do not recognize from your Microsoft account.
Check Inbox Rules
Delete suspicious rules that forward or delete messages.
Disconnect All Sessions
Sign out of all active sessions across all devices.
Reset Password
Change your password to a strong, unique one.
Enable Multi-Factor Authentication (MFA)
Protect the account by enabling MFA across all login methods.
Check Email Connectors
Ensure no malicious connectors or unauthorized mail components exist.
Review Security Info
Confirm that your recovery email and phone number have not been replaced.
Conclusion
BHMailer is not an application -- it is a symptom of an email compromise incident. Recovery focuses on removing unauthorized app permissions, eliminating malicious rules, restoring account settings, and strengthening security through MFA.