1. Attacker starts a log in and triggers a magic link email
2. Email received and my browser client previews the link without my desire
3. Attacker is now logged in
That’s why you combine it with a check for source IP and tell your user that they need to approve from a device that has same IP as the one they are logging in on. So if I’m logging in on my laptop, and approving with my phone, it will be rejected if my phone is using mobile data while my laptop is using landline, but will approve if my phone is connected to WiFi of the same network my laptop is connected to, or if my laptop is tethered via my phone, because then I have same external source IP on both devices.
This scenario is a solution only in simplest cases. It doesn't work when someone routinely uses a VPN on the phone (when often uses free public wi-fi in airports, railway stations, markets etc) because of possible MITM attacks.
The links are one-time use so you need to take this into account anyway or users simply can't login. It's usually done with a required button click after following the magic link. Or you can try JavaScript techniques to detect a real browser.
1. Attacker starts a log in and triggers a magic link email 2. Email received and my browser client previews the link without my desire 3. Attacker is now logged in