Recovery to arbitrary signature

The ECDSA code warns us here:

IMPORTANT: hash must be the result of a hash operation for the verification to be secure: it is possible to craft signatures that recover to arbitrary addresses for non-hashed data.

Can someone explain this attack to me? Presumably, we sign the hash, so why can't the attacker just hash a different message and then craft a signature for the new hash?

I'm genuinely curious how this attack would be pulled off. Are there any academic papers on the topic?