A method and apparatus are described for user protection from external e-mail attack. Some embodiments pertain to receiving a first e-mail at an e-mail client, receiving a detection of a suspicious element in the first e-mail from a detection system, flagging the first e-mail as suspicious with a first flag and a first warning level in response to receiving the detection, flagging a second e-mail with a second flag and a second warning level, displaying the first and second flags with explanatory text in a mailbox view of the e-mail client without opening the first and second e-mail for display to the user, the suspicious element not being selectable in the mailbox view, and sorting the first and the second e-mail with other e-mails of the mailbox view based on the flag warning levels.