Kaspersky Q1 2026 Exploits and Vulnerabilities Report

Kaspersky's quarterly exploitation analysis for Q1 2026 identifies a marked resurgence in document-based exploit delivery, with Microsoft Office and PDF readers accounting for the largest share of initial-access exploit deployments. The most exploited CVE class involved Office Protected View bypass chains (multiple CVEs published in January 2026 Patch Tuesday). Browser exploitation via V8 memory corruption grew 34% quarter-on-quarter. A significant structural trend: ransomware-as-a-service operators are increasingly acquiring zero-day exploits directly from private brokers rather than relying on publicly available PoC code, shortening the detection window between disclosure and mass exploitation. The report includes Excel macro delivery via cloud storage abuse as an emerging initial-access technique.

Kaspersky researchers documented a campaign technique using legitimate Amazon Simple Email Service (SES) accounts to deliver attacker-crafted phishing and business-email-compromise (BEC) lures. Because messages originate from genuine SES infrastructure, SPF and DKIM authentication passes and messages evade most email security gateway filters based on sender reputation. Attackers obtain SES API credentials from publicly exposed AWS configuration files (S3 bucket misconfigurations, leaked GitHub repositories). Observed campaign goals include invoice-fraud lures targeting finance departments and credential phishing pages hosted on AWS infrastructure. Kaspersky observed targeting of finance departments at European manufacturing firms. This report is approximately 96 hours old at publication; first coverage in this brief series.