For example, using the challenge-verify mechanism that Luke-Jr showed above, you can use an unsigned transaction as the challenge and the user would sign it and send the signature to the malicious attacker.
No, you can't.
First, the challenge must be an understandable message, not just random-looking data.
Second, the message is internally prepended with a prefix before signing, to ensure this very thing doesn't happen.
Finally, it is not valid to sign a message with a key that has been used as an address in a transaction already, only unused addresses.