Spoofed email from @micrsoft.com landed in my VP's inbox.

Sounds like you're expecting the DMARC reject to result in an outright rejection of the message.

From that header info, the message was marked as SCL 5 (spam).

Per this article:

Currently, for all customers of Office 365 – ATP and non-ATP - messages that fail DMARC with a policy of reject or quarantine are marked as spam and usually take the high confidence spam action, or sometimes the regular spam action (depending on whether other spam rules first identify it as spam). Intra-org spoof detections take the regular spam action. This behavior does not need to be enabled, nor can it be disabled.

So, outright rejection is never the outcome. This makes sense from the perspective that Microsoft would not want to be discarding (losing) email from senders who have made a mistake with their DMARC records, and also because of the impact it would have on things like forwarding and mailing lists. But, the header info is written there for customers (you) to make more aggressive filtering decisions using mail flow rules if you wish.

The question is then why an SCL 5 mail made it to the user's inbox. That could be due to the spam filter policy that has been configured for that user, or as Support has suggested to you, a hidden mailbox rule. So keep investigating that angle.