Named LogoKit, this phishing tool is already deployed in the wild, according to threat intelligence firm RiskIQ, which has been tracking its evolution.
The company said it already identified LogoKit installs on more than 300 domains over the past week and more than 700 sites over the past month.
The security firm said LogoKit relies on sending users phishing links that contain their email addresses.
"Once a victim navigates to the URL, LogoKit fetches the company logo from a third-party service, such as Clearbit or Google's favicon database," RiskIQ security researcher Adam Castleman said in a report on Wednesday.
"The victim email is also auto-filled into the email or username field, tricking victims into feeling like they have previously logged into the site," he added.
"Should a victim enter their password, LogoKit performs an AJAX request, sending the target's email and password to an external source, and, finally, redirecting the user to their [legitimate] corporate web site."
This is different from standard phishing kits, most of which need pixel-perfect templates mimicking a company's authentication pages.
The kit's modularity allows LogoKit operators to target any company they want with very little customization work and mount tens or hundreds of attacks a week against a wide-ranging set of targets.
RiskIQ said that over the past month, it has seen LogoKit being used to mimic and create login pages for services ranging from generic login portals to false SharePoint portals, Adobe Document Cloud, OneDrive, Office 365, and several cryptocurrency exchanges.
Because LogoKit is so small, the phishing kit doesn't always need its own complex server setup, as some other phishing kits need. The kit can be hosted on hacked sites or legitimate pages for the companies LogoKit operators want to target.
RiskIQ said its tracking this new threat closely due to the kit's simplicity, which the security firm believes helps improve its chances of a successful phish.