Hybrid Attacks are a kind of cyberattack where the perpetrator blends two or more kinds of tools to carry out the assault.
A typical hybrid attack is one that merges a dictionary attack and a brute-force attack. The former would contain a list of potentially known credential matches (wordlist). The latter would apply a brute-force attack upon each possible match.
An example of how a hybrid attack works is as follows. Using a list of breached usernames and passwords obtained from prior incidents, hackers launch a credential-stuffing attack conceived of as a simple match against the login fields on the target enterprise(s). However, the attack is amplified through the use of a brute-force method of trying more combinations of what is known by automating additions of numbers, symbols, and the like in response to user habits to minimally modify passwords over time.
“Credentials-based attacks have grown far more sophisticated than the simple cramming of known passwords into login fields. They now combine stolen libraries of known passwords with brute-forcing of variants of that information into a hybrid attack that is more advanced — and more dangerous.”