First off, your SPF policy alone will not necessarily block the offending email. Do you also have your DMARC policy at p=reject? That's the most important part.
In terms of other actions, the key thing for you to do is analyze the offending email in the feedback report (FBR) to verify if there is any kind of phishing campaign against your domain/brand and, if so, you should have the URL in the FBR from Microsoft that you will want to have taken down.
Beyond that, there is no typical action taken. The primary threat intelligence from FBRs is just the URL and contents (if targeted) of the message in question.
If the email captured in the FBR was just generic pharma spam or similar, it was almost certainly sent by an infected home computer and the IP is unlikely to reappear in any targeted manner.