Phishing and threat detection and prevention

What is claimed is: 1. A database system for detecting and preventing phishing attacks, the database system comprising: a hardware processor; and one or more stored sequences of instructions which, when executed by the hardware processor, cause the hardware processor to perform operations comprising: detecting a request from a user to open an electronic mail message (email) after the email has arrived and received in a user mailbox; sending a link contained in the received email to a threat detection server in response to detecting the user request to open the received email from the user mailbox; receiving a threat level indication for the link back from the threat detection server; modifying a document object model (DOM) for the received email to include a message indicating the threat level of the link; and opening the received email and using the modified DOM to display the included message based on a type of the threat level indication received from the threat detection server. 2. The database system of claim 1 , wherein the instructions further cause the processor to perform operations comprising: receiving a block indication in the threat level indication from the threat detection server; removing the link from the received email based on the block indication; and modifying the DOM to display a warning in the message indicating the link is associated with a phishing attack. 3. The database system of claim 2 , wherein the instructions further cause the processor to perform operations comprising replacing the link in the received email with a cross out image of the link. 4. The database system of claim 1 , wherein the instructions further cause the processor to perform operations comprising attaching a reporting link to the received email, the reporting link connecting to a web page on the threat detection server for reporting suspicious links. 5. The database system of claim 1 , wherein the instructions further cause the processor to perform operations comprising operating a security agent in a web browser, the security agent carrying out the steps of: detecting the request to open the received email; identifying the link in the received email; sending the link to the threat detection server; receiving the threat level indication back from the threat detection server; and modifying the DOM for the received email to include the message indicating the threat level of the link. 6. The database system of claim 5 , wherein the instructions further cause the security agent to perform operations comprising: removing the link from the received email when the threat level indication indicates the link as blacklisted; and opening the received email only after modifying the DOM and removing the link from the received email. 7. The database system of claim 1 , wherein the instructions further cause the processor to perform operations comprising: receiving the threat level indication based on the threat detection server comparing the link with a blacklist; and opening the received email only after receiving the threat level indication and modifying the DOM. 8. A system for detecting a security threat in an electronic mail message (email), comprising: a hardware processor configured to operate a security agent in a web browser, wherein the security agent is configured to: detect a request from a user to open the email after the email has arrived and received in a user mailbox; identify a link in the received email in the user mailbox; send the link to a threat detection server in response to detecting the user request to open the received email; receive a threat level indication for the link back from the threat detection server; generate a message, included in the received email, identifying the threat level indication for the link; and open the received email and display the generated message based on a type of the threat level indication received from the threat detection server. 9. The system of claim 8 , wherein the security agent is further to remove the link from the received email when the threat level identifies the link as blacklisted. 10. The system of claim 9 , wherein the security agent is further to display a warning notification in the message when the threat level indication identifies the link as blacklisted. 11. The system of claim 8 , wherein the security agent is further to display a trusted link notification in the message when the threat level indication identifies the link as whitelisted. 12. The system of claim 8 , wherein the security agent is further to display an ok notification in the message when the threat level indication indicates the link is not blacklisted or whitelisted. 13. The system of claim 8 , wherein the security agent is further to insert a reporting link in the message to connect to the threat detection server and report the link as suspicious. 14. The system of claim 8 , wherein the security agent is further to modify a document object model (DOM) for the received email to include the message. 15. The system of claim 14 , wherein the security agent is further to modify the DOM to remove the link from the received email and display a warning in the message when the threat level indication identifies the link as blacklisted. 16. The system of claim 8 , wherein the security agent is further to: send the link to the threat detection server in response to the request to open the received email; receive the threat level indication back from the threat detection server after the link is compared with a blacklist and prior to opening the received email; and open the received email only after the threat level indication is received. 17. A threat detection server for detecting security threats in electronic mail messages (emails), comprising: one or more hardware processors configured to: receive links from an email system, the received links contained in the emails and received in response to user requests to open the emails after the emails have arrived and received in user mailboxes; generate, by the threat detection server, threat level indicators based on a comparison of the received links with a blacklist of links associated with the security threats; send the threat level indicators back to the email system, wherein the threat level indicators enable the email system to: generate messages, included in the received emails, indicating threat levels of the received links, and open the received emails and display the included messages based on types of the threat level indicators sent by the threat detection server. 18. The threat detection server of claim 17 , further comprising sending block threat levels indicators to the email system for the received links in the blacklist, the block indicators causing the email system to remove the received links prior to opening the emails. 19. The threat detection server of claim 17 , further comprising sending trusted threat level indicators to the email system for the received links in a whitelist of trusted links. 20. The threat detection server of claim 17 , further comprising: receiving threat reports from the email system identifying suspected phishing links in the emails; count a number of the threat reports received for each of the suspected phishing links; and assign the suspected phishing links to the blacklist when the number of threat reports for the suspected phishing links exceeds a threshold.