The majority of vulnerabilities used by cyber-criminals last year in phishing attacks and exploit kits were found in Microsoft products, with some dating back several years, according to Recorded Future.

The security vendor followed-up a similar 2016 report by analyzing thousands of sources — including code repositories, deep web forum postings, and dark web onion sites — to spot “co-occurrences” with known software flaws.

Unlike the 2016 and 2015 reports, where Adobe Flash dominated the rankings, Microsoft led the way with seven out of the top 10 vulnerabilities.

The most commonly observed vulnerability was CVE-2017-0199, found in several Microsoft Office products and allowing attackers to download and execute a Visual Basic script containing Powershell commands from a malicious document.

It was spotted in multiple phishing attacks and linked to 11 separate pieces of malware, while exploit builders for the flaw were seen on the dark web last year being sold for between $400-$800, according to the report.

The second most frequently cited vulnerability, CVE-2016-0189, appeared on the 2016 rankings. It’s an Internet Explorer vulnerability which served as a popular avenue for exploit kits in 2017, Recorded Future claimed.

Alongside these two were five more Microsoft vulnerabilities dating from 2017, 2016 and even 2014. The three Adobe Flash bugs on the list were first published in 2015 and 2016.

The continued popularity of these flaws should be a timely reminder of the need to patch known vulnerabilities. Just this week, for example, Boeing was caught out after some machines in its South Carolina facility were infected with WannaCry.

Overall, however, Recorded Future claimed to have seen a decline in exploit kit activity — a 62% drop in new variants.

“The observed drop in exploit kit activity overlaps with the rapid decline of Flash Player usage,” explained report author, Scott Donnelly. “Users have shifted to more secure browsers, and attackers have shifted as well. Spikes in cryptocurrency mining malware and more targeted victim attacks have filled the void.”

The firm urged users to switch to Google Chrome as their primary browser; improve user training; frequently back-up to mitigate the risk of ransomware; use ad-blockers to prevent malvertising; and remove affected software if it doesn’t impact key business processes.

It also warned firms to be aware that social sites like Facebook may use Flash, exposing users to cyber-risk.