To address the poor robustness of black-box neural ranking models (NRMs), this paper proposes the first chain-of-thought (CoT) attack framework leveraging large language model (LLM) collaboration. Starting from an anchor document, the method constructs a verifiable, multi-step reasoning chain; an LLM guides dynamic perturbation word allocation, while black-box query feedback enables iterative refinement of adversarial examples. Its key contributions are: (1) establishing the first black-box attack paradigm that explicitly models interactive LLM–NRM cooperation; and (2) introducing a controllable, interpretable chain-based reasoning mechanism that jointly ensures attack effectiveness and procedural transparency. Evaluated on two mainstream web search benchmarks, the approach significantly outperforms existing black-box attacks in degrading target document rankings, demonstrating superior effectiveness and strong cross-dataset generalization capability.

Neural ranking models (NRMs) have been shown to be highly effective in terms of retrieval performance. Unfortunately, they have also displayed a higher degree of sensitivity to attacks than previous generation models. To help expose and address this lack of robustness, we introduce a novel ranking attack framework named Attack-in-the-Chain, which tracks interactions between large language models (LLMs) and NRMs based on chain-of-thought (CoT) prompting to generate adversarial examples under black-box settings. Our approach starts by identifying anchor documents with higher ranking positions than the target document as nodes in the reasoning chain. We then dynamically assign the number of perturbation words to each node and prompt LLMs to execute attacks. Finally, we verify the attack performance of all nodes at each reasoning step and proceed to generate the next reasoning step. Empirical results on two web search benchmarks show the effectiveness of our method.