The paper addresses the vulnerability of neural network-based classifiers to adversarial examples, even in the black-box setting where the attacker has limited query access. It introduces three realistic threat models—query-limited, partial-information, and label-only—more reflective of real-world systems. The authors develop new attack methods that are effective under these restrictive conditions, demonstrating their effectiveness against an ImageNet classifier and a commercial classifier, the Google Cloud Vision API. Key contributions include query-efficient adversarial examples using Natural Evolutionary Strategies (NES) and algorithms for partial-information and label-only settings. The evaluation shows that the proposed methods can produce targeted adversarial examples with significantly fewer queries compared to previous approaches, highlighting the continued vulnerability of machine learning systems despite limited access.The paper addresses the vulnerability of neural network-based classifiers to adversarial examples, even in the black-box setting where the attacker has limited query access. It introduces three realistic threat models—query-limited, partial-information, and label-only—more reflective of real-world systems. The authors develop new attack methods that are effective under these restrictive conditions, demonstrating their effectiveness against an ImageNet classifier and a commercial classifier, the Google Cloud Vision API. Key contributions include query-efficient adversarial examples using Natural Evolutionary Strategies (NES) and algorithms for partial-information and label-only settings. The evaluation shows that the proposed methods can produce targeted adversarial examples with significantly fewer queries compared to previous approaches, highlighting the continued vulnerability of machine learning systems despite limited access.