I got an invitation from @facebook to a security event. I think it's not a phishing mail. But I'm not really sure. They're not using any facebook[dot]com subdomain or other domain that clearly belongs to FB. But they don't ask for my login credentials, so it can't be phishing.
if it's the same one I got: the registrar was markmonitor and listed Facebook as owner in the whois data, so I'm preeeetty sure that it's legit?