# Generate password variations
hashcat --stdout rockyou.txt -r best64.rule > mutated_passwords.txt
# Then pair with usernames
# Combine two lists into all combos (cartesian product)
while read user; do while read pass; do echo "$user:$pass"; done < passwords.txt; done < usernames.txt > combos.txt
Even if the openbulletwordlist contains the correct password, MFA stops the attack cold (provided the site doesn't have MFA fatigue vulnerabilities).