Fake Alexa / Google Home skill OAuth re-link lure — email claims an Alexa, Google Home, Home Assistant, or HomeKit skill requires account re-linking via OAuth at a non-official URL, harvesting credentials or granting malicious OAuth scope. Extension of the R2 oauth-device-code-phishing-lure into the voice-assistant ecosystem; Push Security 2025 consent-phishing trend. Distinct from R2 #1 (Microsoft devicelogin) and fake-smart-home-device-breach-lure (breach narrative)

Email claiming that an Alexa skill, Google Home integration, Home Assistant automation, or Apple HomeKit skill has been disabled because account linking expired or requires re-authorization — directing the recipient to complete an OAuth consent flow at a non-official URL that harvests Amazon, Google, or Apple credentials or grants a malicious third-party OAuth scope. Logical extension of the R2 `oauth-device-code-phishing-lure` into the voice-assistant ecosystem: the Alexa Skills Kit Account Linking documentation established the OAuth 2.0 re-link UX expectation that adversaries mimic; Push Security's 2025 consent-phishing trend research confirmed that voice-assistant skill re-link flows are increasingly targeted. Real Amazon, Google, and Apple re-link notifications come exclusively from official domains (@amazon.com / @google.com / @apple.com) and authenticate through official authorization servers, not third-party landing pages. Distinct from R2 #1 (Microsoft OAuth device-code harvest), R4 #2 (token copy-paste), and `fake-smart-home-device-breach-lure` (generic breach narrative without the OAuth re-link component). Fires when all three clusters are present: voice-assistant brand + skill-link/disable language + OAuth sign-in CTA.