Here's an example.
You're logged onto your banking website and you receive an email from an attacker with a link to click on. This link has a maliciously crafted request to post £100 into his account from your own account. Once you click on the link this request goes through i.e. a fraudulent, unwanted transaction.
Relies on pre-authenticated session already existing. Also, to the backend server it looks like a legitimate request - there's not way of distinguishing it.
Ways to mitigate are things like a requirement to re-enter your password when transferring money, or CAPTCHA confirmation or using Tokens. ASM can mitigate CSRF by injecting tokens into the application that can't be posted in a malicious link.
Hope this helps,
N