BHMailer App – What It Is and How It Relates to Email Compromise Incidents
The term “BHMailer” does not refer to a real Microsoft application.
It appears in cases where an Outlook/Microsoft account has been compromised and the attacker adds an unauthorized third-party app to the victim’s email via OAuth (app permissions).
This gives the attacker the ability to send emails “on behalf” of the user without needing their password. The result is automated spam or phishing emails, the creation of draft messages, and suspicious mailbox activity—often followed by temporary account lockouts due to security triggers.
The phenomenon is commonly reported in real Microsoft support cases involving identity and email compromise.
How BHMailer Appears
Users typically notice one or more of the following signs:
- Emails sent that the user did not write
- New drafts addressed to unknown contacts
- Unknown applications under App Permissions
- Malicious inbox rules (redirect, auto-forward)
- Multiple suspicious login attempts
- Security info replacement attempts (30-day replacement)
What the User Should Do
- Check App Permissions
Remove any applications that you do not recognize from your Microsoft account. - Check Inbox Rules
Delete suspicious rules that forward or delete messages. - Disconnect All Sessions
Sign out of all active sessions across all devices. - Reset Password
Change your password to a strong, unique one. - Enable Multi-Factor Authentication (MFA)
Protect the account by enabling MFA across all login methods. - Check Email Connectors
Ensure no malicious connectors or unauthorized mail components exist. - Review Security Info
Confirm that your recovery email and phone number have not been replaced.
Conclusion
BHMailer is not an application — it is a symptom of an email compromise incident.
Recovery focuses on removing unauthorized app permissions, eliminating malicious rules, restoring account settings, and strengthening security through MFA.
