CSRF works by embedding unauthorized commands in a user's browser. For instance, when a user clicks on a link in an email or visits a malicious website, the attacker can craft a request to a web application that the user is authenticated with. Due to the existing session, the web application assumes the request is legitimate and processes it, leading to unauthorized actions.