User.Read.All: the silent reconnaissance that precedes the real attacks
The stealthiest permission in the high-risk family. Invisible in native audit, it arms BEC and spear-phishing against the finance chain. Bound attribute projection, pagination, and enumeration by rule.