Example threat detection methods and apparatus are disclosed. One example method includes obtaining page code of a first display page group identified by a uniform resource locator (URL) and an overall size occupied by the first display page group in a display area of a browser of a Web sandbox when loading the URL in the browser. After preset dynamic code is injected into the page code of the first display page group, the page code is parsed and executed. A request message is sent when a value of a display variable is greater than or equal to a preset value, to request to obtain page code of a second display page group. A response message that carries the page code of the second display page group is received. It is further detected, in the Web sandbox, whether the page code of the second display page group carries attack code.