Yes, that message is really from Facebook. And, yes, it's really malicious.
Facebook once again found itself being used as an attack vector -- this time for the well-known and much feared Locky ransomware. Two days ago security researchers Bart Blaze and Peter Kruse reported that malicious messages delivered via Facebook Messenger were being used to trick unsuspecting marks into kicking off a download and install process that, in some cases, ended with Locky ransomware being installed on victims' PCs. Of all the social media platforms, Facebook is undoubtedly the most heavily targeted given the unsurpassed size of its user base as well as the wide range of native functionality that it offers malicious actors. While many of the elements in this particular attack have been seen before, there was at least one that was new and rather unique.
We agree with KnowBe4 that we should all regard popular social media services as potential attack vectors and take appropriate steps to educate their users about the threats that lurk in online venues that are otherwise widely trusted by default. We strongly recommend blocking Facebook on work computers and encouraging employees to access Facebook after work hours and or on breaks using their mobile devices.